Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Bugtraq: Re: [SECURITYREASON.COM] PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12

Re: [SECURITYREASON.COM] PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12

From: Paul Laudanski <zx_at_castlecops.com>
Date: Sat, 9 Apr 2005 01:12:12 -0400 (EDT)

A cursory web search revealed...

On 4 Apr 2005, Maksymilian Arciemowicz wrote:

> - --- 1.Description --- PHP-Nuke is a Web Portal System, storytelling
[SNIP]
>
> - --- 2. XSS ---
> 2.0
> http://[HOST]/[DIR]/banners.php?op=EmailStats&name=sex&bid=[XSS]
>
> 2.1
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=TopRated&ratenum=[XSS]&ratetype=num

This has been a bug for over a year now:

http://www.waraxe.us/content-5.html

>
> 2.2
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=MostPopular&ratenum=%3Ch1%3E50&ratetype=num

This too was pointed out nearly two years ago:

http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/1213.html

>
> 2.3
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkdetails&ttitle=[XSS]
>
> 2.4
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkeditorial&ttitle=[XSS]
>
> 2.5
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkcomments&ttitle=[XSS]
>
> 2.6
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=ratelink&ttitle=[XSS]
>
> 2.7
> http://[HOST]/[DIR]/modules.php?name=Your_Account&op=userinfo&bypass=1&username=[XSS]

In general a multi-layered defense system is a good idea. mod_security is
a great tool for Apache which can be installed to catch certain kinds of
GET injections. Certainly not fool proof as the codebase should filter
inputs.

>
> - --- 3. Path Disclousure ---
>

On the topic of programming it is good practice to validate input,
however, for path disclosure, it is an even better plan to disable
displaying errors on a production website.

> - --- 4. How to fix ---
> Because phpnuke don't have security contact, you can download my patch from securityreason.com
> http://securityreason.com/patch/PhpNuke-7.6-adv.by.cXIb8O3.12-patch.tar.gz
>

Actually I know of a couple sites that work effortlessly to promote
security in php-nuke. These days chatserv works on writing and collecting
patches into a bundle for download:

nukecops.com
nukeresources.com
ravenphpscripts.com

I'd suggest posting your finds as news submissions to these sites, with
always a followup to phpnuke.org's Francisco (AKA nukelite). 

-- 
Sincerely,
Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html
http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com
Received on Apr 12 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]