Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Bugtraq: Re: Bypass XSS filter in PHPNUKE 7.9=>x

Re: Bypass XSS filter in PHPNUKE 7.9=>x

From: Paul Laudanski <zx_at_castlecops.com>
Date: Fri, 16 Dec 2005 20:21:07 -0500 (EST)

On 14 Dec 2005 max_at_jestsuper.pl wrote:

> [Bypass XSS filter in PHPNUKE 7.9=>x cXIb8O3.21]
>
> 2.0 http://[HOST]/[DIR]/modules.php?name=Search
>
> Insert:
>
> <iframe src=http://securityreason.com?phpnuke79 <
>
> And have you xss.
>
> 2.1 http://[HOST]/[DIR]/modules.php?name=Web_Links
>
> Insert:
>
> <iframe src=http://securityreason.com?phpnuke79 <
>
> foreach ($_POST as $secvalue) {
> if ((eregi("<[^>]*iframe*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]*object*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]*applet*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]*meta*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]*form*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]*img*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]*onmouseover*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]script*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]*body*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]style*\"?[^>]*", $secvalue)))
> {
> die ($htmltags);
> }
> }
>
> thx nukefixes.com
>
>
> - --- 4. Greets ---
>
> sp3x, nukefixes.com
> Author: Maksymilian Arciemowicz < cXIb8O3 >
> Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com

Thanks for the information but the filtering doesn't make any sense. Any
data that is accepted is to be considered tainted and dealt with
appropriately. This doesn't apply to just Web_Links or Search modules,
but also other modules such as Forums.

If I take your exact example code:

<iframe src=http://securityreason.com?phpnuke79 <

And post it to a forum post in a [CODE][/CODE] block to discuss, I'll be
thrown an exception per your code because it'll be caught by your HTTP
POST filtering.

What you need to do is use htmlentities or htmlspecialchar to sanitize
data before it's displayed to the user. Your "fix" will easily break many
sites that are focused on programming discussions. Its important to know
how to "filter" input properly.

One other problem is you are removing the stock filters from being called
upon if ADMIN_FILE is defined. Problem here is if the admin's account
gets hijacked, there is no code to prevent admin from instantiating a
malformed request or post. XSS, CRSF, you name it... 

-- 
Paul Laudanski, Microsoft MVP Windows-Security
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com
Received on Dec 17 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]