Re: More Cross site Scripting in PHPNuke

["chkumite chkumite" <chkumite () hotmail com>]

> Subject: More Cross site Scripting in PHPNuke
> Date: 23 Apr 2002 09:50:48 +0200
>
> Cross site scripting is a serious problem, (even if some people
> doesn't believe it), On this second round i'll show 8 new XSS
> vulnerabilities in PHP Nuke (most of them are also path disclosure
> vulns)

u can do other thing but it isn't exploitable :(
a local hack:

In the search input, you write: "><h1><marquee>Hacked by 
Shaolinn</marquee></h1><"

The php file request the input, and finally write the html page something 
like this:

<input type="text" name="search" value="$search_input_requested">

then when i write ">anyhtmlthing<" i am injecting html.

really this have not any utility :) but, you can learn how injection works.


-- Shaolinn --

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.