PHP-Nuke Avatar Code injection vulnerability

["delusion" <delusi0n () bellsouth net>]

-------------------------------------------

Affected Versions:
PHP Nuke versionh 6.0 and below

Unaffected version:
PHP Nuke 6.5

Impact:
-------------------------------------------
Allows any user to inject their own HTML or Java code instead of an avatar
image. This can lead to very annoying forum posts, and the usual XSS tricks.

Summary:
-------------------------------------------
When users sign up, they are asked to select an avatar from a list of
available avatars in the website's /images/forum/avatars folder. When PHP
Nuke inserts the image name of the selected avatar into the database, it
does not perform any tag or code checks. So therefore if a user gets the
site's <form> code and changes the avatar <select> box into a text box, he
can enter HTML or java code which will be entered into the database and
displayed wherever the avatar is shown. This can lead to very annoying forum
posts, and to the theft of users' cookies using XSS.

Exploit:
-------------------------------------------
After you register on the vulnerable PHP Nuke site, login, then on the "Your
Account" page click "Your Info", view source, then search for "uid", you
should find something like this..

<input type="hidden" name="uid" value="2273">

The number you see for value, is your user id. After you got your user id,
Launch this html code.. (make sure u change http://NUKESITE to the url of
the vulnerable site)

<!-- START CODE --!>
<form name="Register"
action="http://NUKEDSITE/modules.php?name=Your_Account"; method="post">

<b>Code ('">[code]<b ')</b><input type="text" name="user_avatar" size="30"
maxlength="30"><br><br>

<b>Username</b><input type="text" name="uname" size="30"
maxlength="255"><br><b>User ID:<input type="text" name="uid"
size="30"><input type="hidden" name="op" value="saveuser"><input
type="submit" value="Save Changes"></form>
<!-- END CODE --!>

When you launch it, type in your code, which must start with `">`. it doesnt
matter how it ends, you can put a '<b ' at the end, so you dont get any
broken code. Type in your username and user ID, then click submit, and u
will be taken to the "Your Account" page on the vulnerable Nuked site. At
this point you should be able to see the result of your code. Now anywhere
that your avatar will be used, it will execute the code. ;)

BTW the code you put in can only be 30 characters long due to the field's
specified length in the database.

heres a sample of what u can enter..

"><h1>TESTING</h1><b

That will cause "TESTING" to appear in big letters wherever your avatar is
used.

There is a space after "<b" so make sure to put that in, or u will get ugly
broken code. ;)

Solution:
-------------------------------------------
None as of yet.. If someone can please post a good solution it would be
appreciated.

-------------------------------------------

Another Vulnerability Brought to you by,
delusion
http://www.digital-delusions.com