|
|
|
|
| |
| Bruno Morisson and Pedro Inacio have found 7 different cross-site-scripting vulnerabilities in PHPNuke 6.0 that allow for anyone to steal the authentication cookies from users and Administrators. |
| |
Credit:
The information has been provided by Bruno Morisson and Pedro Inacio.
|
| |
1] RDF/RSS Parser (Risk: medium)
PHP-Nuke's RDF/RSS parser doesn't strip html tags when parsing RSS files. The <title> tag isn't stripped, so if it contains any valid HTML or scripting, the user's browser will run the script.
As a proof of concept, go to your account on a PHP-Nuke site, and on your preferred site just put some URL with an RDF file with an item like this one:
<item rdf:about="http://www.somesite.dom">
<title><scr!pt>alert('cookie: '+ document.cookie)</script></title>
<link>http://www.somesite.dom/</link>
<description>Puke It</description>
</item>
Bruno Morisson and Pedro Inacio have one RDF file like that one at http://www.genhex.org/php-puke.rdf
2] Private Messages (Risk: critical)
Private messages module allows for html in the body. Although it strips <scr!pt> tags, it allows for events on <a href> tags. Hence, on the message body just write:
<a href="X" onmouseover="alert(document.cookie)">x</a>. This will be left up to your imagination more interesting ways to explore this.
3] Journal (Risk: critical)
The journal doesn't strip HTML tags. Put "<scr!pt> alert(document.cookie)</script>" somewhere (in the title for better effect) and when someone goes to see your journal, the script will be run.
4] Your Info (Risk: critical)
Most fields on the "Your Info" section of don't strip HTML tags, or don't correctly validate input.
On Your HomePage, you can put an URL to some site. PHPNuke doesn't correcty validate the data. You can do some "HTML Injection", for instance, insert as your URL:
http://x/" onmouseover="alert(document.cookie)
PHPNuke will turn this into: <a href="http://x/" onmouseover="alert(document.cookie)">http://x/" onmouseover="alert(document.cookie)</a>
It's not very stealthy, but most users will probably put their mouse over it anyway. You must keep the URL as small as possible, since PHP-Nuke will truncate the URL, thus it will not work.
The following fields don't strip tags:
* Real Name
* Fake Email
* Your Location
* Your Interests
* Your Occupation
* Signature
These ones allow for <scr!pt> tags, thus turning the attack completely transparent to the victim.
The "real name" and "fake email" fields are even more dangerous, because if someone lists the users, the script will be executed. All the others require the victim to go to the attacker's info page.
5] Search (Risk: Low)
This is a low risk CSS bug, since as far as Bruno Morisson and Pedro Inacio could tell the user must put the script himself on the search field. Anyway, the box doesn't correctly strip the query string, although it does if it is submitted as a GET request...
6] Downloads (Risk: Critical)
This module accepts <a href> events in the fields:
* Program Name
* File Link
* Author's Name
* Author's Email
* Homepage
Any user that can submit a download can insert some JavaScript in those fields. When an Admin goes to check the download, depending on the event, JavaScript will be executed. Most fields will look very suspicious, except for File Link. File Link will look perfectly normal. If the Admin puts his mouse over the link (or other event) by accident (or on purpose), you can steal his cookie.
7] Web Links (Risk: Critical)
Exactly the same as the Downloads module.
Vendor Status:
Vendor notified of first two bugs on 4 Oct 2002 through PHPNuke's site. Vendor notified of all bugs through E-Mail on 7 Oct 2002.
|
|
|
|
|
|
|
