Bugtraq mailing list archives
SERIOUS BUG IN PHPNUKE
From: "MegaHz" <costcon () cytanet com cy>
Date: Fri, 27 Jul 2001 17:41:01 +0300
Yes, phpnuke.org, was contacted.... First take a look at: http://phpnuke.org/user.php?op=userinfo&uname=MegaHz Then, read this................. PHPnuke Bugs. After testing just a few scripts on phpnuke I have noticed the following: Some fields in the registration form allow code and fail to filter out the tags. e.g Interests: src=http://www.anything.com/defaced.gif> Also when faking a form and posting from local file (user.php.html) after editing a few fields like the avatar picture for example, it is possible to escape surtain dirs with the ../../../../dir/pic.gif in the options field. (-- This is a local html file and set to post to user.php on the target server --) (no this is not a tag :P ) 001.gif 002.gif This tells user.php to save the avatar path as http://www.target.com/../../../dir_on_server/anyfile.ext and loads the file when the user info of the attacker is viewed. As we know webbugs (invisible or visible pics can be used for tracing) The preview of the Registration Form allows Javascript in the body. (not the user.php) but it does not allow ' or " . BUT you can user / instead of ' so this helps to will in variables in javascript. This can damage the site and make it look ugly. I coulnt be bothered to look at the rest of phpnuke... Tested on phpnuke v5.0 Firstly discovered by: dinopio ================================================= Andreas Constantinides (MegaHz) Owner - Admin of cHp - http://www.cyhackportal.com megahz () cyhackportal com ICQ#: 30136845 =================================================
Current thread:
- SERIOUS BUG IN PHPNUKE MegaHz (Jul 27)
- Re: SERIOUS BUG IN PHPNUKE supergate (Jul 27)