[25266] in bugtraq
Re: More Cross site Scripting in PHPNuke
daemon@ATHENA.MIT.EDU (chkumite chkumite)
Fri Apr 26 01:12:49 2002
From: "chkumite chkumite" <chkumite@hotmail.com>
To: replugge@alcoholico.org, bugtraq@securityfocus.com, info@securiteam.com,
submissions@packetstormsecurity.org
Date: Wed, 24 Apr 2002 13:07:24 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F171VSRvQjLk469K5iF00006d68@hotmail.com>
>Subject: More Cross site Scripting in PHPNuke
>Date: 23 Apr 2002 09:50:48 +0200
>
>Cross site scripting is a serious problem, (even if some people
>doesn't believe it), On this second round i'll show 8 new XSS
>vulnerabilities in PHP Nuke (most of them are also path disclosure
>vulns)
u can do other thing but it isn't exploitable :(
a local hack:
In the search input, you write: "><h1><marquee>Hacked by
Shaolinn</marquee></h1><"
The php file request the input, and finally write the html page something
like this:
<input type="text" name="search" value="$search_input_requested">
then when i write ">anyhtmlthing<" i am injecting html.
really this have not any utility :) but, you can learn how injection works.
-- Shaolinn --
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
