Hi, This only happens with images( tag <img> is used) so other files are protected... the cracker have to know the root site path too. Regards, Josué --- MegaHz <costconat_private> wrote: > Yes, phpnuke.org, was contacted.... > > First take a look at: > http://phpnuke.org/user.php?op=userinfo&uname=MegaHz > > > Then, read this................. > PHPnuke Bugs. > > After testing just a few scripts on phpnuke I have > noticed the following: > > Some fields in the registration form allow code > and fail to filter out the tags. > e.g Interests: > src=http://www.anything.com/defaced.gif> > > Also when faking a form and posting from local file > (user.php.html) > after editing a few fields like the avatar picture > for example, > it is possible to escape surtain dirs with the > ../../../../dir/pic.gif > in the options field. > > (-- This is a local html file and set to post to > user.php on the target > server --) > (no this is not a tag :P ) > > > 001.gif > 002.gif > > > > This tells user.php to save the avatar path as > http://www.target.com/../../../dir_on_server/anyfile.ext > and loads the file > when the user info of the attacker is viewed. > > As we know webbugs (invisible or visible pics can be > used for tracing) > > The preview of the Registration Form allows > Javascript in the > body. (not the user.php) but it does not allow ' or > " . BUT you can user / > instead of ' > so this helps to will in variables in javascript. > > This can damage the site and make it look ugly. > > I coulnt be bothered to look at the rest of > phpnuke... > > > Tested on phpnuke v5.0 > > Firstly discovered by: dinopio > > > > ================================================= > Andreas Constantinides (MegaHz) > Owner - Admin of cHp - http://www.cyhackportal.com > megahzat_private > ICQ#: 30136845 > ================================================= > __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 08:43:16 PDT