[21939] in bugtraq
SERIOUS BUG IN PHPNUKE
daemon@ATHENA.MIT.EDU (MegaHz)
Fri Jul 27 14:02:46 2001
Message-ID: <003e01c116aa$850a9840$0100a8c0@cytanet.com.cy>
From: "MegaHz" <costcon@cytanet.com.cy>
To: <VULN-DEV@securityfocus.com>, <INCIDENTS@securityfocus.com>,
<bugtraq@securityfocus.com>
Cc: <mc2@securitywire.com>
Date: Fri, 27 Jul 2001 17:41:01 +0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Yes, phpnuke.org, was contacted....
First take a look at:
http://phpnuke.org/user.php?op=userinfo&uname=MegaHz
Then, read this.................
PHPnuke Bugs.
After testing just a few scripts on phpnuke I have noticed the following:
Some fields in the registration form allow code
and fail to filter out the tags.
e.g Interests: src=http://www.anything.com/defaced.gif>
Also when faking a form and posting from local file (user.php.html)
after editing a few fields like the avatar picture for example,
it is possible to escape surtain dirs with the ../../../../dir/pic.gif
in the options field.
(-- This is a local html file and set to post to user.php on the target
server --)
(no this is not a tag :P )
001.gif
002.gif
This tells user.php to save the avatar path as
http://www.target.com/../../../dir_on_server/anyfile.ext and loads the file
when the user info of the attacker is viewed.
As we know webbugs (invisible or visible pics can be used for tracing)
The preview of the Registration Form allows Javascript in the
body. (not the user.php) but it does not allow ' or " . BUT you can user /
instead of '
so this helps to will in variables in javascript.
This can damage the site and make it look ugly.
I coulnt be bothered to look at the rest of phpnuke...
Tested on phpnuke v5.0
Firstly discovered by: dinopio
=================================================
Andreas Constantinides (MegaHz)
Owner - Admin of cHp - http://www.cyhackportal.com
megahz@cyhackportal.com
ICQ#: 30136845
=================================================
