You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 179 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - PHP-Nuke "pagetitle" Cross-Site Scripting Vulnerab [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
corticus
Nuke Cadet
Nuke Cadet


Joined: Feb 13, 2006
Posts: 9


PostPosted: Mon Feb 13, 2006 12:43 pm Reply with quoteBack to top

Didn't see anything in here about this.

*** 2-13-06 XSS ***

alert:
http://secunia.com/advisories/18820/

fix:
http://www.waraxe.us/advisory-44.html

I'll leave the exploit code out...
unfortunately... it works,
fortunately, so does the fix.

Thanks WarAxe!
Find all posts by corticusView user's profileSend private message
chris-au
Elite Nuker
Elite Nuker


Joined: Jan 31, 2003
Posts: 717


PostPosted: Mon Feb 13, 2006 7:09 pm Reply with quoteBack to top

Yes thanks.

It is good to see somebody checks these things.

What is it about phpNuke and security?

Does anyone at anytime get notified of these problems?

_________________
Chris
Find all posts by chris-auView user's profileSend private messageVisit poster's website
corticus
Nuke Cadet
Nuke Cadet


Joined: Feb 13, 2006
Posts: 9


PostPosted: Mon Feb 13, 2006 8:20 pm Reply with quoteBack to top

I just started using the system about 6 months ago, I was on 6.0 (didn't even know at the time), didn't even think about security.
Then I got hacked, now its all I think about.
I mainly just check my Secunia alerts.
This is interesting reading:
http://secunia.com/product/2385/

Many aren't patched, but like today's exploit, there's an easy fix. I'll see if I can find some more links to fixes, unless someone out there's already doing this...
Find all posts by corticusView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Tue Feb 14, 2006 12:12 pm Reply with quoteBack to top

Nope, no one notifes us of these problems before they come up. Probably because FB tends to ignore them anyway.

In mainfile.php

Just add after the security checks
Code:

$pagetitle = "";


We'll make sure they get into the latest Patched files

corticus, if you aren't using the Patched files - I recommend them. http://www.nukeresources.com
If you find any of the security exploits that are still active with the Patched files, tell me and I'll look into it

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.046 Seconds - 283 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::