|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 58 guest(s) and 1 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Yet Another XSS Vulnerability in PHP-Nuke |
|
 Anonymous writes "Forward from bugtraq:
-------------------------------------------
Affected Versions:
PHP Nuke versionh 6.0 and below
Unaffected version:
PHP Nuke 6.5
Impact:
-------------------------------------------
Allows any user to inject their own HTML or Java code instead of an avatar
image. This can lead to very annoying forum posts, and the usual XSS tricks."
|
|
Posted on Tuesday, February 04 @ 01:23:09 CET by [RETIRED]chatserv |
|
|
|
|
| |
|
Average Score: 1
Votes: 1
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Yet Another XSS Vulnerability in PHP-Nuke (Score: 1)
by Zhen-Xjell on Tuesday, February 04 @ 04:29:44 CET
(User Info | Send a Message) http://castlecops.com | | Hi and thanks for posting. I have confirmed the exploit *does work* on PHP-Nuke 6.5 so all versions are susceptible. And of course I immediately fixed it for both Nuke 5.6 and 6.5 but only if the phpbb2 forums are used. I'll be issuing a release today. |
| | | | |
Re: Yet Another XSS Vulnerability in PHP-Nuke (Score: 1)
by Zhen-Xjell on Tuesday, February 04 @ 05:01:37 CET
(User Info | Send a Message) http://castlecops.com | I made the following changes. Left arrow is the changed secured file whereas the right one is the unmodified NUke 6.5 beta 5 file. Make the changes to the Your_Account/index.php file. Basically instances of user_avatar were removed.
751c749
function saveuser($realname, $email, $femail, $url, $user_avatar, $newsletter, $user_icq, $user_aim, $user_yim, $user_msnm, $user_from, $user_occ, $user_intrest, $user_sig, $bio, $pass, $vpass, $uname, $uid, $attach) {
775c773
sql_query("UPDATE ".$user_prefix."_users SET name='$realname', email='$email', femail='$femail', url='$url', pass='$pass', bio='$bio' , user_icq='$user_icq', user_occ='$user_occ', user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', newsletter='$newsletter' WHERE uid='$uid'");
---
> $db->sql_query("UPDATE ".$user_prefix."_users SET name='$realname', email='$email', femail='$femail', url='$url', pass='$pass', bio='$bio' , user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ', user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', newsletter='$newsletter' WHERE uid='$uid'");
786c784
sql_query("UPDATE ".$user_prefix."_users SET name='$realname', email='$email', femail='$femail', url='$url', bio='$bio', user_icq='$user_icq', user_occ='$user_occ', user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', newsletter='$newsletter' WHERE uid='$uid'");
---
> $db->sql_query("UPDATE ".$user_prefix."_users SET name='$realname', email='$email', femail='$femail', url='$url', bio='$bio', user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ', user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', newsletter='$newsletter' WHERE uid='$uid'");
1174c1172
saveuser($realname, $email, $femail, $url, $user_avatar, $newsletter, $user_icq, $user_aim, $user_yim, $user_msnm, $user_from, $user_occ, $user_intrest, $user_sig, $bio, $pass, $vpass, $uname, $uid, $attach);
1223c1221
---
> ?>
For Nuke 5.6 the same thing was done. After I did this, I retested with the exploitable code and was unable to save anything to the user_avatar. |
- Re: by Anonymous on Tuesday, February 04 @ 05:27:15 CET
- Re: by Zhen-Xjell on Tuesday, February 04 @ 05:30:34 CET
- Re: by Anonymous on Tuesday, February 04 @ 05:40:48 CET
- Re: by Zhen-Xjell on Tuesday, February 04 @ 05:46:36 CET
- Re: by sixonetonoffun on Tuesday, February 04 @ 09:49:58 CET
- Re: by Zhen-Xjell on Tuesday, February 04 @ 14:33:00 CET
- Re: by sixonetonoffun on Tuesday, February 04 @ 21:26:49 CET
| | | | |
Re: Yet Another XSS Vulnerability in PHP-Nuke (Score: 0)
by Anonymous on Tuesday, February 04 @ 17:41:50 CET | A follow up from bugtraq:
This is a follow up to my original email..
First of all i just want to add, that with this vulnerability, it is
possible to change other user's avatars to either text, or to different
images. all you need to find out is their UID and username.
And also i came up with this solution for the problem..
In modules/Your_Account in php nuke, open up index.php. Search for
"saveuser" you should get to a function that looks liek this..
(should be around line 740)
function saveuser($uid, $realname, $uname, $email, etc...
right underneath the function call, put this in..
$referer = getenv("HTTP_REFERER");
$nukeurl="http://digital-delusions.com";
$nukeurl2="http://digital-delusions.dyn.ee";
$nukeurl3="http://192.168.0.254";
if (substr("$referer",0,strlen($nukeurl))==$nukeurl OR
substr("$referer",0,strlen($nukeurl2))==$nukeurl2 OR
substr("$referer",0,strlen($nukeurl3))==$nukeurl3) {
this code will check where the request is coming from, and if it is coming
from your site, then it will let the function continue.. Notice i have 3
$nukeurl variables, this is because those are the 3 different url's requests
can come form. So make sure u change my URLs to your site's urls.
Then, go down to the end of the function.. (ends with a "}")
should look somethign liek this..
[...]
Header("Location: modules.php?name=$module_name");
}
}
}
before the last "}"
paste this..
} else {
echo "delusion ownz j00";
}
make sure u keep all the {}'s in their correct places, dont remove any. and
of course you can change the message to whatever you want ;)
Have fun,
-delusion
http://www.digital-delusions.com
|
- Re: by Zhen-Xjell on Tuesday, February 04 @ 19:02:09 CET
| | | | |
|
