ECHU Alert #2: IMG Attack in the news : 6 CMS vulnerables

[das () hush com]

----------------------------------------------
| IMG Attack in the news : 6 CMS vulnerables |
----------------------------------------------


PROGRAM: XOOPS, PHP-NUKE, NPDS, daCode, Drupal, phpWebSite
VULNERABLE VERSIONS: I believe that all versions are vulnerables
IMMUNE VERSIONS: no immune current versions
SEVERITY: high


Tested version
==============
Xoops RC3.0.4, PHP-Nuke 6.0, NPDS 4.8 SuperCache, daCode 1.2.0, Drupal 4.0.0 and phpWebSite 0.8.3


Description
============ 
After having sent ECHU alert on "Xoops RC3 script injection vulnerability" 
(http://www.echu.org/modules/news/article.php?storyid=95), I realize that it's not a XOOPS problem (Kazumi Ono, XOOPS 
Developper, and Jan304, XOOPS Dutch Support, confirmed this) but a html problem that is hard to fix and can be misuse 
in almost every cms.

The problem appears when a user post a news, a vulnerability exists in these CMS that allow a typical IMG attack 
against visitors :

<IMG SRC="javascript:alert('unsecure')"> 

In order to test this vulnerability, you can go on websites that use these CMS, post a news with this code and see the 
result.


The problem
=========== 
A badly disposed member can propose a news containing code (for une news containing code sample of a new vulnerability 
for example) and if webmasters or moderators don't take care, they will approve the news.


Vendors status
==============
XOOPS: It should be fix in futures versions
PHP-NUKE: No emails on the website so we can't contact them
NPDS: They have been contacted by Magistrat (http://www.blocus-zone.com/) and should fix it in futures versions
daCode: No emails on the website so we can't contact them
Drupal: No emails on the website so we can't contact them
phpWebSite: It should be fix in futures versions


Solution
========
There's no secure release of these CMS, so the unique solution is, at this moment, to disable Html, in each news post, 
to avoid the problem. The "removehack" from NPDS doesn't fix the problem even if NPDS team tell it does.


Links
=====
XOOPS: http://www.xoops.org
PHP-NUKE: http://www.php-nuke.org
NPDS: http://www.npds.org
daCode: http://www.dacode.org
Drupal: http://www.drupal.org
phpWebSite: http://phpwebsite.appstate.edu
Blocus Advisory on NPDS: http://www.blocus-zone.com/modules/news/article.php?storyid=132


This vulnerability's orginal paper can be found here: http://www.echu.org/modules/news/article.php?storyid=97


David Suzanne (aka dAs)
das () echu org
http://www.echu.org 


-----------------------------------------------------------------
ECHU.ORG is not responsible for the misuse of the information we 
provide through our security advisories. These advisories are a 
service to the professional security community. In no event shall 
ECHU.ORG be liable for any consequences whatsoever arising out of 
or in connection with the use or spread of this information.
-----------------------------------------------------------------



Get your free encrypted email at https://www.hushmail.com