A cursory web search revealed... On 4 Apr 2005, Maksymilian Arciemowicz wrote: > - --- 1.Description --- PHP-Nuke is a Web Portal System, storytelling [SNIP] > > - --- 2. XSS --- > 2.0 > http://[HOST]/[DIR]/banners.php?op=EmailStats&name=sex&bid=[XSS] > > 2.1 > http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=TopRated&ratenum=[XSS]&ratetype=num This has been a bug for over a year now: http://www.waraxe.us/content-5.html > > 2.2 > http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=MostPopular&ratenum=%3Ch1%3E50&ratetype=num This too was pointed out nearly two years ago: http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/1213.html > > 2.3 > http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkdetails&ttitle=[XSS] > > 2.4 > http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkeditorial&ttitle=[XSS] > > 2.5 > http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkcomments&ttitle=[XSS] > > 2.6 > http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=ratelink&ttitle=[XSS] > > 2.7 > http://[HOST]/[DIR]/modules.php?name=Your_Account&op=userinfo&bypass=1&username=[XSS] In general a multi-layered defense system is a good idea. mod_security is a great tool for Apache which can be installed to catch certain kinds of GET injections. Certainly not fool proof as the codebase should filter inputs. > > - --- 3. Path Disclousure --- > On the topic of programming it is good practice to validate input, however, for path disclosure, it is an even better plan to disable displaying errors on a production website. > - --- 4. How to fix --- > Because phpnuke don't have security contact, you can download my patch from securityreason.com > http://securityreason.com/patch/PhpNuke-7.6-adv.by.cXIb8O3.12-patch.tar.gz > Actually I know of a couple sites that work effortlessly to promote security in php-nuke. These days chatserv works on writing and collecting patches into a bundle for download: nukecops.com nukeresources.com ravenphpscripts.com I'd suggest posting your finds as news submissions to these sites, with always a followup to phpnuke.org's Francisco (AKA nukelite). -- Sincerely, Paul Laudanski .. Computer Cops, LLC. Microsoft MVP Windows-Security 2005 CastleCops(SM)... http://castlecops.com CC Blog ......... http://blog.castlecops.com Staff Blogs ..... http://busterbunny.castlecops.com Our Vision ...... http://castlecops.com/postt63382.html http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com