Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[VulnDiscuss] Re: [SECURITYREASON.COM] PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12[Scanned]

From: "Paul Laudanski" <zx () castlecops com>
Date: Sat, 9 Apr 2005 08:45:59 -0700
A cursory web search revealed...

On 4 Apr 2005, Maksymilian Arciemowicz wrote:


- --- 1.Description --- PHP-Nuke is a Web Portal System, storytelling

[SNIP]


- --- 2. XSS ---
2.0
http://[HOST]/[DIR]/banners.php?op=EmailStats&name=sex&bid=[XSS]

2.1
http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=TopRated&ratenum=[XSS]&ratetype=num


This has been a bug for over a year now: 

http://www.waraxe.us/content-5.html



2.2
http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=MostPopular&ratenum=%3Ch1%3E50&ratetype=num


This too was pointed out nearly two years ago:

http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/1213.html



2.3
http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkdetails&ttitle=[XSS]

2.4
http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkeditorial&ttitle=[XSS]

2.5
http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkcomments&ttitle=[XSS]

2.6
http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=ratelink&ttitle=[XSS]

2.7
http://[HOST]/[DIR]/modules.php?name=Your_Account&op=userinfo&bypass=1&username=[XSS]


In general a multi-layered defense system is a good idea.  mod_security is 
a great tool for Apache which can be installed to catch certain kinds of 
GET injections.  Certainly not fool proof as the codebase should filter 
inputs.



- --- 3. Path Disclousure ---



On the topic of programming it is good practice to validate input, 
however, for path disclosure, it is an even better plan to disable 
displaying errors on a production website.  


- --- 4. How to fix ---
Because phpnuke don't have security contact, you can download my patch from securityreason.com
http://securityreason.com/patch/PhpNuke-7.6-adv.by.cXIb8O3.12-patch.tar.gz



Actually I know of a couple sites that work effortlessly to promote 
security in php-nuke.  These days chatserv works on writing and collecting 
patches into a bundle for download:

nukecops.com
nukeresources.com
ravenphpscripts.com

I'd suggest posting your finds as news submissions to these sites, with 
always a followup to phpnuke.org's Francisco (AKA nukelite).


-- 
Sincerely,

Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html

http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: