Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

SERIOUS BUG IN PHPNUKE

From: "MegaHz" <costcon () cytanet com cy>
Date: Fri, 27 Jul 2001 17:41:01 +0300
Yes, phpnuke.org, was contacted....

First take a look at:
http://phpnuke.org/user.php?op=userinfo&uname=MegaHz


Then, read this.................
PHPnuke Bugs.

After testing just a few scripts on phpnuke I have noticed the following:

Some fields in the registration form allow  code
and fail to filter out the tags.
e.g Interests:  src=http://www.anything.com/defaced.gif>

Also when faking a form and posting from local file (user.php.html)
after editing a few fields like the avatar picture for example,
it is possible to escape surtain dirs with the ../../../../dir/pic.gif
in the options field.

(-- This is a local html file and set to post to user.php on the target
server --)
  (no this is not a tag :P )


001.gif
002.gif



This tells user.php to save the avatar path as
http://www.target.com/../../../dir_on_server/anyfile.ext and loads the file
when the user info of the attacker is viewed.

As we know webbugs (invisible or visible pics can be used for tracing)

The preview of the Registration Form allows Javascript in the
body. (not the user.php) but it does not allow ' or " . BUT you can user /
instead of '
so this helps to will in variables in javascript.

This can damage the site and make it look ugly.

I coulnt be bothered to look at the rest of phpnuke...


Tested on phpnuke v5.0

Firstly discovered by: dinopio



=================================================
Andreas Constantinides (MegaHz)
Owner - Admin of cHp - http://www.cyhackportal.com
megahz () cyhackportal com
ICQ#: 30136845
=================================================
Previous By Date Next
Previous By Thread Next

Current thread: