Author: Janek Vind "waraxe"
Date: 23. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=23


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is popular freeware content management system, written in php by
Francisco Burzi. This CMS (Content Management System) is used on many thousands
websites, because it`s free of charge, easy to install and has broad set of features.

Homepage: http://phpnuke.org


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

A1 - all scripts in "admin/links/" directory are not protected against direct access

Example:

http://localhost/nuke72/admin/links/links.blocks.php?radminsuper=1

... and we will see standard php error messages, revealing full path to script:

Fatal error: Call to undefined function: adminmenu() in D:apache_wwwroot
uke72adminlinkslinks.blocks.php on line 16



B. Cross-site scripting aka XSS:

PhpNuke has built-in filtering against XSS exploits, so additional measures must be used
for successful cross-site scripting.

B1 - XSS through unsanitaized user submitted variable "year" in Statistics module

http://localhost/nuke72/modules.php?name=Statistics&op=DailyStats&year=[xss code here]&month=12



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to http://www.gamecheaters.us staff!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------

Copyright © by Waraxe IT Security Portal All Right Reserved.

Published on: 2005-01-06 (2445 reads)