('binary' encoding is not supported, stored as-is) ------- Product: PHP-Nuke Vendor: Francisco Burci Versions Vulnerable: 6.0 without patches , 6.0 with index.php and mainfile.php patches. 5.5 with patches ( all resting script tags) No vulnerable: 6.0 with mainfile.php patch for block url tags inclusions ( not all ). 5.5 with script tags but with the other all. ------ DESCRIPTION: ------ i'm working now in nuke based portals , searching modules that use an URL based query i found in the Statistics module some bugs: when you put a string in the url behind the &year variable the module prints you the character that you put. i probe iframe and works , script tags works , object works,applet works,meta works,style works,form works too,img works,comments and ssi works. -------- SOLUTION: -------- Put this code in your mainfile.php : /* foreach ($HTTP_GET_VARS as $secvalue) { if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) || (eregi("\"", $secvalue))) { die ("Oh! ."); } } */ NOTE: Remove comment /* and */. ----- WHAT CAN BE HAPPEN? ----- Script and binary objects inclusion. Normally it isn't a problem but there are many viruses written in vbscript and javascript/JS . Iframe can be used for a link that an user visits and there is and attack to the user trough known iframe vulns. With the code that i provide your'e sure by this little bug. ----- CONTACT INFO : --------------------------------------- Lorenzo Manuel Hernandez Garcia-Hierro --- Computer Security Analyzer --- --www.novappc.com -- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 **********************************
This archive was generated by hypermail 2b30 : Sat May 17 2003 - 11:18:42 PDT