You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 525 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Yet Another XSS Vulnerability in PHP-Nuke
SecurityAnonymous writes "Forward from bugtraq:

-------------------------------------------

Affected Versions:
PHP Nuke versionh 6.0 and below

Unaffected version:
PHP Nuke 6.5

Impact:
-------------------------------------------
Allows any user to inject their own HTML or Java code instead of an avatar
image. This can lead to very annoying forum posts, and the usual XSS tricks."
Posted on Tuesday, February 04 @ 01:23:09 CET by [RETIRED]chatserv
 
Related Links
· Computer Cops
· More about Security
· News by [RETIRED]chatserv


Most read story about Security:
PHP-Nuke admin.php security hole - PATCHED

Article Rating
Average Score: 1
Votes: 1


Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad


Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend

Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: Yet Another XSS Vulnerability in PHP-Nuke (Score: 0)
by Anonymous on Tuesday, February 04 @ 02:11:47 CET
Link to the full report: http://online.securityfocus.com/archive/1/309959



Re: Yet Another XSS Vulnerability in PHP-Nuke (Score: 1)
by Zhen-Xjell on Tuesday, February 04 @ 04:29:44 CET
(User Info | Send a Message) http://castlecops.com
Hi and thanks for posting. I have confirmed the exploit *does work* on PHP-Nuke 6.5 so all versions are susceptible. And of course I immediately fixed it for both Nuke 5.6 and 6.5 but only if the phpbb2 forums are used. I'll be issuing a release today.



Re: Yet Another XSS Vulnerability in PHP-Nuke (Score: 1)
by Zhen-Xjell on Tuesday, February 04 @ 05:01:37 CET
(User Info | Send a Message) http://castlecops.com
I made the following changes. Left arrow is the changed secured file whereas the right one is the unmodified NUke 6.5 beta 5 file. Make the changes to the Your_Account/index.php file. Basically instances of user_avatar were removed.
751c749
function saveuser($realname, $email, $femail, $url, $user_avatar, $newsletter, $user_icq, $user_aim, $user_yim, $user_msnm, $user_from, $user_occ, $user_intrest, $user_sig, $bio, $pass, $vpass, $uname, $uid, $attach) {
775c773
sql_query("UPDATE ".$user_prefix."_users SET name='$realname', email='$email', femail='$femail', url='$url', pass='$pass', bio='$bio' , user_icq='$user_icq', user_occ='$user_occ', user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', newsletter='$newsletter' WHERE uid='$uid'");
---
> $db->sql_query("UPDATE ".$user_prefix."_users SET name='$realname', email='$email', femail='$femail', url='$url', pass='$pass', bio='$bio' , user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ', user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', newsletter='$newsletter' WHERE uid='$uid'");
786c784
sql_query("UPDATE ".$user_prefix."_users SET name='$realname', email='$email', femail='$femail', url='$url', bio='$bio', user_icq='$user_icq', user_occ='$user_occ', user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', newsletter='$newsletter' WHERE uid='$uid'");
---
> $db->sql_query("UPDATE ".$user_prefix."_users SET name='$realname', email='$email', femail='$femail', url='$url', bio='$bio', user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ', user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', newsletter='$newsletter' WHERE uid='$uid'");
1174c1172
saveuser($realname, $email, $femail, $url, $user_avatar, $newsletter, $user_icq, $user_aim, $user_yim, $user_msnm, $user_from, $user_occ, $user_intrest, $user_sig, $bio, $pass, $vpass, $uname, $uid, $attach);
1223c1221

---
> ?>


For Nuke 5.6 the same thing was done. After I did this, I retested with the exploitable code and was unable to save anything to the user_avatar.


  • Re: by Anonymous on Tuesday, February 04 @ 05:27:15 CET
    • Re: by Zhen-Xjell on Tuesday, February 04 @ 05:30:34 CET
      • Re: by Anonymous on Tuesday, February 04 @ 05:40:48 CET
        • Re: by Zhen-Xjell on Tuesday, February 04 @ 05:46:36 CET
          • Re: by sixonetonoffun on Tuesday, February 04 @ 09:49:58 CET
            • Re: by Zhen-Xjell on Tuesday, February 04 @ 14:33:00 CET
              • Re: by sixonetonoffun on Tuesday, February 04 @ 21:26:49 CET

Re: Yet Another XSS Vulnerability in PHP-Nuke (Score: 0)
by Anonymous on Tuesday, February 04 @ 17:41:50 CET
A follow up from bugtraq:

This is a follow up to my original email..

First of all i just want to add, that with this vulnerability, it is
possible to change other user's avatars to either text, or to different
images. all you need to find out is their UID and username.

And also i came up with this solution for the problem..

In modules/Your_Account in php nuke, open up index.php. Search for
"saveuser" you should get to a function that looks liek this..
(should be around line 740)

function saveuser($uid, $realname, $uname, $email, etc...

right underneath the function call, put this in..

$referer = getenv("HTTP_REFERER");
$nukeurl="http://digital-delusions.com";
$nukeurl2="http://digital-delusions.dyn.ee";
$nukeurl3="http://192.168.0.254";
if (substr("$referer",0,strlen($nukeurl))==$nukeurl OR
substr("$referer",0,strlen($nukeurl2))==$nukeurl2 OR
substr("$referer",0,strlen($nukeurl3))==$nukeurl3) {

this code will check where the request is coming from, and if it is coming
from your site, then it will let the function continue.. Notice i have 3
$nukeurl variables, this is because those are the 3 different url's requests
can come form. So make sure u change my URLs to your site's urls.

Then, go down to the end of the function.. (ends with a "}")
should look somethign liek this..

[...]
Header("Location: modules.php?name=$module_name");
}
}
}

before the last "}"
paste this..

} else {
echo "delusion ownz j00";
}

make sure u keep all the {}'s in their correct places, dont remove any. and
of course you can change the message to whatever you want ;)

Have fun,
-delusion
http://www.digital-delusions.com



  • Re: by Zhen-Xjell on Tuesday, February 04 @ 19:02:09 CET
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.089 Seconds - 201 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::