[UNIX] PHPX Web Portal Multiple Vulnerabilities
From: SecuriTeam (support_at_securiteam.com)
To: email@example.com Date: 12 Feb 2004 12:19:40 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
PHPX Web Portal Multiple Vulnerabilities
" <http://www.phpx.org> PHPX is a constantly evolving and changing Content
Management System (CMS). PHPX is highly customizable and high powered all
in one system. PHPX provides content management combined with the power of
a portal by including in the core package modules such as FAQ, polls, and
Multiple vulnerabilities were found in PHPX that allow an attack to inject
arbitrary script code, perform cross-site scripting and even hijack cookie
* PHPX version 3.2.3 (possibly prior)
* PHPX version 3.2.4
Vulnerabilities exist in the main.inc.php, help.inc.php files that would
allow an attacker to insert arbitrary code which would execute on the
client's browser. An example of such conditions can be demonstrated in the
main.inc.php?keywords='>< scr!pt>alert(document.cookie)< /scr!pt>
help.inc.php?body='>< scr!pt>alert(document.cookie)< /scr!pt>
NOTE: In the examples above the 'script' tag has been replaced with
HTML/Code Injection Flaw
Injection of malicious code is possible through the 'Subject' field in
both the Forum and Instant Messaging. An attack can inject specially
crafted code which would be triggered when a user views certain pages. A
scripting code crafted by the attack will then be executed at the user's
client side and could manipulate user profiles, post in forums and steal
Cookie Account Hijacking Vulnerability
A cookie written by PHPX contains a variable called PXL which PHPX uses in
order to authenticate users. It is possible to edit the PXL variable in
such a manner that would allow authentication as a different user and gain
access to their accounts. In fact, it is also possible to gain
administrative access which naturally means a full compromise of the
system in question.
The vendor has been notified and a newer version was released.
The information has been provided by <mailto:firstname.lastname@example.org> Manuel
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.