Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Cross-Site Scripting (XSS) in Php-Nuke 7.1.0
From: Anthony Petito <anthonypetito () gmail com>
Date: Wed, 18 Aug 2004 04:36:16 -0700

Uhm.. Why does your proof match almost exactly what was posted back on
10 February?


I mean.. even down to the examples.  Come on!


On 17 Aug 2004 12:28:36 -0000, Abu Lafy <off () hotmail com> wrote:

Affected software description:


    Php-Nuke is popular freeware content management system, written in php by

Francisco Burzi. This CMS (COntent Management System) is used on many thousands

websites, because it`s free of charge, easy to install and has broad set of features.

Homepage: http://phpnuke.org



    If we look at Php-Nuke`s history, then we can find many cases reporting the XSS

in Php-Nuke. Most of them are fixed by now, when we have allready version 7.1.0

available. Despite this I found two new cases of XSS in Php-Nuke 6.x-7.1.0 , maybe in

older versions too.



    Let`s look at code from "/modules/News/friend.php" line 84-92 (Php-Nuke 7.1.0):

function StorySent($title, $fname) {

    include ("header.php");

    $title = urldecode($title);

    $fname = urldecode($fname);


    echo "<center><font class=\"content\">"._FSTORY." <b>$title</b> "._HASSENT." $fname... 


    include ("footer.php");


If we deliver $title or $fname by GET or POST variable, then we have XSS

conditions here. But Php-Nuke will reject GET and POST requests with &lt;script&gt; tags.

One way to evade this filter is the using of <img src=foo onload=[code here]>.

There is better way to exploit the XSS, and it`s the using of partially or fully

urlencoded ("hexed") script for exploit. And because we have lines

$title = urldecode($title);


$fname = urldecode($fname);

in original code, it will be urldecoded and will work for us, but GET or POST

filtering can`t recognize the "&lt;script&gt;" pattern.

Same problem has one more module - "Reviews".

Proof of concept examples:




Abu Lafy

Anthony Petito

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]