Bugtraq mailing list archives
PHPNUKE 6 XSS Vulnerabilities
From: Mark Grimes <mark () stateful net>
Date: Tue, 24 Sep 2002 11:37:06 -0700
http://www.phpnuke.org/modules.php?name=Search Enter: ><script>alert(document.cookie);</script> in form, click Search. Needless to say these bugs won't go away. The vendor WOULD HAVE been contacted if they just gave an email address without having to subscribe to nukesupport/phpnuke - maybe I don't use it. Likewise the author of PHP-NUKE has a submission form for bug reporting (buried in a FAQ for unsubscribed people -- why do I need to dig for a contact address?), but that also has a XSS vulnerability - *SIGH* Nor HTML nor plain text will do through the submission form without the javascript being executed or stripped. Instead of implying >'s and <'s in an email, I am posting here. -- Mark Grimes <mark () stateful net> Stateful Labs
Current thread:
- PHPNUKE 6 XSS Vulnerabilities Mark Grimes (Sep 24)