PHP-Nuke Input Validation Hole in Reviews Module 'id' and 'title' Parameter Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1010420
|
|
SecurityTracker URL: http://securitytracker.com/id?1010420
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 8 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 6.x, 7.2, 7.3
|
Description: Some input validation vulnerabilities were reported in PHP-Nuke in the Reviews module. A remote user can conduct cross-site scripting attacks. A remote user can also determine the installation path.
DarkBicho reported that the Reviews module does not properly validate user-supplied input in the 'id' and 'title' parameters. A
remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed
by the target user's browser. The code will originate from the site running the PHP-Nuke software and will run in the security context
of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any,
associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site
acting as the target user.
Some demonstration exploit URLs are provided:
http://localhost/nuke1/modules.php?name=Reviews&rop=postcomment&id='<h1>DarkBicho</h1&title
=a
http://localhost/nuke1/modules.php?name=Reviews&rop=postcomment&id='&title=<h1>DarkBicho</h1>
It is also reported that
a remote user can submit the following type of URL to determine the installation path:
http://localhost/nuke1/modules.php?name=Reviews&rop=showcontent&id='DarkBich
o
The vendor has reportedly been notified.
The original advisory is available at:
http://bichosoft.webcindario.com/advisory-05.txt
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
PHP-Nuke software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
|
Solution: No solution was available at the time of this entry. The vendor is reportedly working on a fix.
|
Vendor URL: www.phpnuke.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Dark Bicho" <k1ll3rb0y@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 07 Jun 2004 16:30:38 -0500
From: "Dark Bicho" <k1ll3rb0y@hotmail.com>
Subject: Multiple vulnerabilities PHP-Nuke
|
original advisory : http://bichosoft.webcindario.com/advisory-05.txt
-------------------------------------------------------------------------------------------------
:.: Multiple vulnerabilities PHP-Nuke :.:
PROGRAM: PHP-Nuke
HOMEPAGE: http://phpnuke.org/
VERSION: 6.x, 7.2, 7.3
BUG: Multiple vulnerabilities
DATE: 14/05/2004
AUTHOR: DarkBicho
web: http://www.darkbicho.tk
team: Security Wari Proyects <www.swp-zone.org>
Email: darkbicho@peru.com
-------------------------------------------------------------------------------------------------
1.- Affected software description:
-----------------------------
Php-Nuke is a popular content management system, written in php by
Francisco Burzi.
2.- Vulnerabilities:
---------------
A. Full path disclosure:
This vulnerability would allow a remote user to determine the full
path to the web root directory and other potentially sensitive
information.
:.: Examples:
http://localhost/nuke1/modules.php?name=Reviews&rop=showcontent&id='DarkBicho
Warning: date(): Windows does not support dates prior to midnight
(00:00:00),
January 1, 1970 in c:\appserv\www\nuke1\modules\Reviews\index.php on
line 527
B. Cross-Site Scripting aka XSS:
:.: id :
*
http://localhost/nuke1/modules.php?name=Reviews&rop=postcomment&id='&title=a
<input type=hidden name=id value='>
:.: title :
*
http://localhost/nuke1/modules.php?name=Reviews&rop=postcomment&id='&title=a
:.: Examples:
http://localhost/nuke1/modules.php?name=Reviews&rop=postcomment&id='<h1>DarkBicho</h
1&title=a
http://localhost/nuke1/modules.php?name=Reviews&rop=postcomment&id='&title=<h1>Dark
Bicho</h1>
3.- SOLUTION:
¨¨¨¨¨¨¨¨
Vendors were contacted many weeks ago and plan to release a fixed
version soon.
Check the PHP-NUKE website for updates and official release details.
4.- Greetings:
---------
greetings to my Peruvian group swp and perunderforce :D
"EL PISCO ES Y SERA PERUANO"
5.- Contact
-------
WEB: http://www.darkbicho.tk
EMAIL: darkbicho@peru.com
-------------------------------------------------------------------------------------------------
___________ ____________
/ _____/ \ / \______ \
\_____ \\ \/\/ /| ___/
/ \\ / | |
/_______ / \__/\ / |____|
\/ \/
Security Wari Projects
(c) 2002 - 2004
Made in Peru
----------------------------------------[ EOF
]----------------------------------------------
_________________________________________________________________
Consigue aquí las mejores y mas recientes ofertas de trabajo en América
Latina y USA: http://latam.msn.com/empleos/
|
|
