Re: SERIOUS BUG IN PHPNUKE
From: Josué (bit_0f_l0ve@yahoo.com)Date: 07/29/01
- Previous message: Bob Hillery: "Odd ports...but non-incident"
- In reply to: MegaHz: "SERIOUS BUG IN PHPNUKE"
- Next in thread: MegaHz: "Re: SERIOUS BUG IN PHPNUKE"
- Reply: MegaHz: "Re: SERIOUS BUG IN PHPNUKE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <20010729190922.23084.qmail@web10907.mail.yahoo.com> Date: Sun, 29 Jul 2001 12:09:22 -0700 (PDT) From: "Josué" "ßit" "øf" "Løve" de Freitas <bit_0f_l0ve@yahoo.com> Subject: Re: SERIOUS BUG IN PHPNUKE To: MegaHz <costcon@cytanet.com.cy>, VULN-DEV@SECURITYFOCUS.COM, INCIDENTS@SECURITYFOCUS.COM, bugtraq@SECURITYFOCUS.COM
Hi,
This only happens with images( tag <img> is used) so
other files are protected... the cracker have to know
the root site path too.
Regards, Josué
--- MegaHz <costcon@cytanet.com.cy> wrote:
> Yes, phpnuke.org, was contacted....
>
> First take a look at:
>
http://phpnuke.org/user.php?op=userinfo&uname=MegaHz
>
>
> Then, read this.................
> PHPnuke Bugs.
>
> After testing just a few scripts on phpnuke I have
> noticed the following:
>
> Some fields in the registration form allow code
> and fail to filter out the tags.
> e.g Interests:
> src=http://www.anything.com/defaced.gif>
>
> Also when faking a form and posting from local file
> (user.php.html)
> after editing a few fields like the avatar picture
> for example,
> it is possible to escape surtain dirs with the
> ../../../../dir/pic.gif
> in the options field.
>
> (-- This is a local html file and set to post to
> user.php on the target
> server --)
> (no this is not a tag :P )
>
>
> 001.gif
> 002.gif
>
>
>
> This tells user.php to save the avatar path as
>
http://www.target.com/../../../dir_on_server/anyfile.ext
> and loads the file
> when the user info of the attacker is viewed.
>
> As we know webbugs (invisible or visible pics can
be
> used for tracing)
>
> The preview of the Registration Form allows
> Javascript in the
> body. (not the user.php) but it does not allow ' or
> " . BUT you can user /
> instead of '
> so this helps to will in variables in javascript.
>
> This can damage the site and make it look ugly.
>
> I coulnt be bothered to look at the rest of
> phpnuke...
>
>
> Tested on phpnuke v5.0
>
> Firstly discovered by: dinopio
>
>
>
> =================================================
> Andreas Constantinides (MegaHz)
> Owner - Admin of cHp - http://www.cyhackportal.com
> megahz@cyhackportal.com
> ICQ#: 30136845
> =================================================
>
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
- Previous message: Bob Hillery: "Odd ports...but non-incident"
- In reply to: MegaHz: "SERIOUS BUG IN PHPNUKE"
- Next in thread: MegaHz: "Re: SERIOUS BUG IN PHPNUKE"
- Reply: MegaHz: "Re: SERIOUS BUG IN PHPNUKE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
