Re: SERIOUS BUG IN PHPNUKE

From: Josué (bit_0f_l0veat_private)
Date: Sun Jul 29 2001 - 12:09:22 PDT

Next message: Jon Westmuckett: "RE: bug w2k"

Previous message: Bob Hillery: "Odd ports...but non-incident"
In reply to: MegaHz: "SERIOUS BUG IN PHPNUKE"
Next in thread: MegaHz: "Re: SERIOUS BUG IN PHPNUKE"
Reply: MegaHz: "Re: SERIOUS BUG IN PHPNUKE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

This only happens with images( tag <img> is used) so
other files are protected... the cracker have to know
the root site path too.


Regards, Josué

--- MegaHz <costconat_private> wrote:
> Yes, phpnuke.org, was contacted....
> 
> First take a look at:
>
http://phpnuke.org/user.php?op=userinfo&uname=MegaHz
> 
> 
> Then, read this.................
> PHPnuke Bugs.
> 
> After testing just a few scripts on phpnuke I have
> noticed the following:
> 
> Some fields in the registration form allow  code
> and fail to filter out the tags.
> e.g Interests: 
> src=http://www.anything.com/defaced.gif>
> 
> Also when faking a form and posting from local file
> (user.php.html)
> after editing a few fields like the avatar picture
> for example,
> it is possible to escape surtain dirs with the
> ../../../../dir/pic.gif
> in the options field.
> 
> (-- This is a local html file and set to post to
> user.php on the target
> server --)
>   (no this is not a tag :P )
> 
> 
> 001.gif
> 002.gif
> 
> 
> 
> This tells user.php to save the avatar path as
>
http://www.target.com/../../../dir_on_server/anyfile.ext
> and loads the file
> when the user info of the attacker is viewed.
> 
> As we know webbugs (invisible or visible pics can
be
> used for tracing)
> 
> The preview of the Registration Form allows
> Javascript in the
> body. (not the user.php) but it does not allow ' or
> " . BUT you can user /
> instead of '
> so this helps to will in variables in javascript.
> 
> This can damage the site and make it look ugly.
> 
> I coulnt be bothered to look at the rest of
> phpnuke...
> 
> 
> Tested on phpnuke v5.0
> 
> Firstly discovered by: dinopio
> 
> 
> 
> =================================================
> Andreas Constantinides (MegaHz)
> Owner - Admin of cHp - http://www.cyhackportal.com
> megahzat_private
> ICQ#: 30136845
> =================================================
> 


__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Next message: Jon Westmuckett: "RE: bug w2k"
Previous message: Bob Hillery: "Odd ports...but non-incident"
In reply to: MegaHz: "SERIOUS BUG IN PHPNUKE"
Next in thread: MegaHz: "Re: SERIOUS BUG IN PHPNUKE"
Reply: MegaHz: "Re: SERIOUS BUG IN PHPNUKE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 08:43:16 PDT