that's easy enough to find out... ----- Original Message ----- From: "Josué ßit øf Løve de Freitas" <bit_0f_l0veat_private> To: "MegaHz" <costconat_private>; <VULN-DEVat_private>; <INCIDENTSat_private>; <bugtraqat_private> Cc: <mc2at_private> Sent: Sunday, July 29, 2001 10:09 PM Subject: Re: SERIOUS BUG IN PHPNUKE > Hi, > > This only happens with images( tag <img> is used) so > other files are protected... the cracker have to know > the root site path too. > > > Regards, Josué > > --- MegaHz <costconat_private> wrote: > > Yes, phpnuke.org, was contacted.... > > > > First take a look at: > > > http://phpnuke.org/user.php?op=userinfo&uname=MegaHz > > > > > > Then, read this................. > > PHPnuke Bugs. > > > > After testing just a few scripts on phpnuke I have > > noticed the following: > > > > Some fields in the registration form allow code > > and fail to filter out the tags. > > e.g Interests: > > src=http://www.anything.com/defaced.gif> > > > > Also when faking a form and posting from local file > > (user.php.html) > > after editing a few fields like the avatar picture > > for example, > > it is possible to escape surtain dirs with the > > ../../../../dir/pic.gif > > in the options field. > > > > (-- This is a local html file and set to post to > > user.php on the target > > server --) > > (no this is not a tag :P ) > > > > > > 001.gif > > 002.gif > > > > > > > > This tells user.php to save the avatar path as > > > http://www.target.com/../../../dir_on_server/anyfile.ext > > and loads the file > > when the user info of the attacker is viewed. > > > > As we know webbugs (invisible or visible pics can > be > > used for tracing) > > > > The preview of the Registration Form allows > > Javascript in the > > body. (not the user.php) but it does not allow ' or > > " . BUT you can user / > > instead of ' > > so this helps to will in variables in javascript. > > > > This can damage the site and make it look ugly. > > > > I coulnt be bothered to look at the rest of > > phpnuke... > > > > > > Tested on phpnuke v5.0 > > > > Firstly discovered by: dinopio > > > > > > > > ================================================= > > Andreas Constantinides (MegaHz) > > Owner - Admin of cHp - http://www.cyhackportal.com > > megahzat_private > > ICQ#: 30136845 > > ================================================= > > > > > __________________________________________________ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/ >
This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 13:17:53 PDT