Vulnerability Development mailing list archives
Re: SERIOUS BUG IN PHPNUKE
From: "MegaHz" <costcon () cytanet com cy>
Date: Mon, 30 Jul 2001 21:52:30 +0300
that's easy enough to find out... ----- Original Message ----- From: "Josué ßit øf Løve de Freitas" <bit_0f_l0ve () yahoo com> To: "MegaHz" <costcon () cytanet com cy>; <VULN-DEV () securityfocus com>; <INCIDENTS () securityfocus com>; <bugtraq () securityfocus com> Cc: <mc2 () securitywire com> Sent: Sunday, July 29, 2001 10:09 PM Subject: Re: SERIOUS BUG IN PHPNUKE
Hi, This only happens with images( tag <img> is used) so other files are protected... the cracker have to know the root site path too. Regards, Josué --- MegaHz <costcon () cytanet com cy> wrote:Yes, phpnuke.org, was contacted.... First take a look at:http://phpnuke.org/user.php?op=userinfo&uname=MegaHzThen, read this................. PHPnuke Bugs. After testing just a few scripts on phpnuke I have noticed the following: Some fields in the registration form allow code and fail to filter out the tags. e.g Interests: src=http://www.anything.com/defaced.gif> Also when faking a form and posting from local file (user.php.html) after editing a few fields like the avatar picture for example, it is possible to escape surtain dirs with the ../../../../dir/pic.gif in the options field. (-- This is a local html file and set to post to user.php on the target server --) (no this is not a tag :P ) 001.gif 002.gif This tells user.php to save the avatar path ashttp://www.target.com/../../../dir_on_server/anyfile.extand loads the file when the user info of the attacker is viewed. As we know webbugs (invisible or visible pics canbeused for tracing) The preview of the Registration Form allows Javascript in the body. (not the user.php) but it does not allow ' or " . BUT you can user / instead of ' so this helps to will in variables in javascript. This can damage the site and make it look ugly. I coulnt be bothered to look at the rest of phpnuke... Tested on phpnuke v5.0 Firstly discovered by: dinopio ================================================= Andreas Constantinides (MegaHz) Owner - Admin of cHp - http://www.cyhackportal.com megahz () cyhackportal com ICQ#: 30136845 =================================================__________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
Current thread:
- SERIOUS BUG IN PHPNUKE MegaHz (Jul 27)
- Re: SERIOUS BUG IN PHPNUKE supergate (Jul 28)
- Re: SERIOUS BUG IN PHPNUKE Josué (Jul 30)
- Re: SERIOUS BUG IN PHPNUKE MegaHz (Jul 30)