NukeCops - XSS Patch Released

You are missing our premiere tool bar navigation system! Register and use it for FREE!

Create an account

• Home • Downloads • Gallery • Your Account • Forums •

Readme First

- Readme First! -
Read and follow the rules, otherwise your posts will be closed

Modules

· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account

Who's Online

There are currently, 146 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here

XSS Patch Released

MikeMiles, a support staffer at Nuke Cops reported a new XSS exploit against PHP-Nuke and here is the patch that gets placed into the mainfile.php around line 674.

Find the following lines:

        
        $str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^" >]*)[[:space:]]*\"?[^>]*>",
                         '<a href="1">', $str); # "
               // Delete all attribs from Anchor, except an href, double quoted.
        $str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", '', $str);
               // Delete all img tags

And place the following lines after:

        $str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?javascript[[:punct:]]*\"?[^>]*>", '', $str);
               // Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com

This will prevent XSS javascript code. This is a common exploit that the patch guards against which could potentially steal the admin's cookie data.

Posted on Sunday, August 24 @ 22:36:15 CEST by Zhen-Xjell

Most read story about Security:
PHP-Nuke admin.php security hole - PATCHED

Article Rating

Average Score: 0
Votes: 0

Options

Printer Friendly Page

Send to a Friend

The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: XSS Patch Released (Score: 1)
by sting on Sunday, August 24 @ 22:58:09 CEST
(User Info | Send a Message) http://www.nukehaven.net

Get an error:

Parse error: parse error in /home/mysite/public_html/mainfile.php on line 648

Fatal error: Call to a member function on a non-object in /home/mysite/public_html/index.php on line 18

What am I missing?

Thanks,
-sting

Re: XSS Patch Released by Zhen-Xjell on Sunday, August 24 @ 23:08:48 CEST
Re: XSS Patch Released by Zhen-Xjell on Sunday, August 24 @ 23:14:31 CEST
- Re: XSS Patch Released by sting on Sunday, August 24 @ 23:18:25 CEST
  - Re: XSS Patch Released by Zhen-Xjell on Sunday, August 24 @ 23:20:28 CEST
    - Re: XSS Patch Released by sting on Sunday, August 24 @ 23:22:27 CEST
- Re: XSS Patch Released by sting on Sunday, August 24 @ 23:21:40 CEST
  - Re: XSS Patch Released by Zhen-Xjell on Sunday, August 24 @ 23:29:06 CEST
- Re: XSS Patch Released by nopeace4u on Sunday, August 24 @ 23:34:28 CEST
Re: XSS Patch Released by sting on Sunday, August 24 @ 23:42:07 CEST
How do you provoke the error?? by Jenses on Monday, August 25 @ 15:16:14 CEST

Re: XSS Patch Released (Score: 1)
by nopeace4u on Sunday, August 24 @ 23:22:26 CEST
(User Info | Send a Message) http://www.webhostgem.com

Have same problem -- http://test.clan-njk.com

Parse error: parse error in /home/clannjk/public_html/test/mainfile.php on line 683

Fatal error: Call to a member function on a non-object in /home/clannjk/public_html/test/index.php on line 18

Re: XSS Patch Released by xfsunolesphp on Monday, August 25 @ 21:30:56 CEST
- Re: XSS Patch Released by xfsunolesphp on Monday, August 25 @ 21:36:49 CEST

Re: XSS Patch Released (Score: 1)
by Zhen-Xjell on Sunday, August 24 @ 23:31:39 CEST
(User Info | Send a Message) http://castlecops.com

Please Note:

This patch was tested on several PHP-Nuke sites including 5.x and 6.x releases with 100% success rate.

I don't know why folks are having issues, but lets try to resolve them immediately.

Re: XSS Patch Released by sting on Sunday, August 24 @ 23:35:58 CEST
- Re: XSS Patch Released by Zhen-Xjell on Sunday, August 24 @ 23:39:31 CEST

Re: XSS Patch Released (Score: 1)
by Feret on Sunday, August 24 @ 23:44:28 CEST
(User Info | Send a Message) http://www.sunandshadows.com

getting this error:

Parse error: parse error in /home/sunandsh/public_html/mainfile.php on line 656

Fatal error: Call to a member function on a non-object in /home/sunandsh/public_html/modules.php on line 22

here is the code around it

[code] // Delete all spaces from html tags .
$str = eregi_replace("]*href[[:space:]]*=[[:space:]]*"?[[:space:]]*([^" >]*)[[:space:]]*"?[^>]*>",
'', $str); # "
// Delete all attribs from Anchor, except an href, double quoted.
$str = eregi_replace("]*)[[:space:]]*>", '', $str);
// Delete all img tags
$str = eregi_replace("]*href[[:space:]]*=[[:space:]]*"?javascript[[:punct:]]*"?[^>]*>", '', $str);
// Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com

$tmp = "";
while (ereg("]*)>",$str,$reg)) {
[/code]

Re: XSS Patch Released by Feret on Sunday, August 24 @ 23:47:04 CEST
- Re: XSS Patch Released by Zhen-Xjell on Sunday, August 24 @ 23:50:02 CEST

THE FIX (Score: 1)
by Evaders99 on Monday, August 25 @ 00:36:31 CEST
(User Info | Send a Message) http://www.swrebellion.com

The code above doesn't work because it is missing two backslashes. Try this:

$str = eregi_replace("]*href[[:space:]]*=[[:space:]]*"?javascript[[:punct:]]*"?[^>]*>", '', $str);
// Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com

re: THE FIX (Score: 1)
by Evaders99 on Monday, August 25 @ 00:37:36 CEST
(User Info | Send a Message) http://www.swrebellion.com

Or not.. sorry, it seems that its stripping code it isn't supposed to.

Definitely copy this line from the CVS and it will work.

re: THE FIX by smotrs on Monday, August 25 @ 11:49:05 CEST
- re: THE FIX by smotrs on Monday, August 25 @ 11:55:45 CEST
- re: THE FIX by Zhen-Xjell on Monday, August 25 @ 12:26:23 CEST
  - re: THE FIX by smotrs on Monday, August 25 @ 16:20:23 CEST

Re: XSS Patch Released (Score: 1)
by StaticBeats on Monday, August 25 @ 12:34:03 CEST
(User Info | Send a Message) http://www.staticbeats.com

The article has the slashes wrong in the code.

The correct code should be:

$str = eregi_replace("]*href[[:space:]]*=[[:space:]]*"?javascript[[:punct:]]*"?[^>]*>", '', $str);
// Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com

Re: XSS Patch Released by Zhen-Xjell on Monday, August 25 @ 12:39:40 CEST
- Re: XSS Patch Released by jeffreym on Monday, August 25 @ 18:05:37 CEST
  - Re: XSS Patch Released by chatserv on Monday, August 25 @ 19:10:19 CEST

Re: XSS Patch Released (Score: 1)
by Panama on Tuesday, August 26 @ 00:07:42 CEST
(User Info | Send a Message)

I added the code - but then the security image stopped displaying when I tried to log in as admin.

Then I took the patch back out - and the security code will still not display! Help!

Re: XSS Patch Released by Panama on Tuesday, August 26 @ 01:10:48 CEST

Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.374 Seconds - 549 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)

:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::