PHP-Nuke Journal Module Java Script Injection

2004-06-23T00:00:00
ID OSVDB:7234
Type osvdb
Reporter Janek Vind "waraxe"(come2waraxe@yahoo.com)
Modified 2004-06-23T00:00:00

Description

Vulnerability Description

PHP-Nuke contains a flaw that may allow a remote attacker to inject arbitrary javascript in a journal entry. The flaw is due to the Journal module not properly sanitize journal entry input. By creating a new journal entry with malicious java script, an attacker can have it executed under arbitrary privileges when another user attempts to list or read the journal entry.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

PHP-Nuke contains a flaw that may allow a remote attacker to inject arbitrary javascript in a journal entry. The flaw is due to the Journal module not properly sanitize journal entry input. By creating a new journal entry with malicious java script, an attacker can have it executed under arbitrary privileges when another user attempts to list or read the journal entry.

Manual Testing Notes

When anyone (including admins) lists specific journal entries:

http://[victim]/nuke73/modules.php?name=Journal&file=search&bywhat=aid&forwhat=waraxe

or reads it:

http://[victim]/nuke73/modules.php?name=Journal&file=display&jid=2

the injected javascript can perform any action an attacker desires.

References:

Vendor URL: http://phpnuke.org Secunia Advisory ID:11920 Related OSVDB ID: 7224 Related OSVDB ID: 7226 Related OSVDB ID: 7229 Related OSVDB ID: 7223 Related OSVDB ID: 7227 Related OSVDB ID: 7230 Related OSVDB ID: 7232 Related OSVDB ID: 7233 Related OSVDB ID: 7235 Related OSVDB ID: 7236 Related OSVDB ID: 7225 Related OSVDB ID: 7228 Related OSVDB ID: 7231 Other Advisory URL: http://www.waraxe.us/?modname=sa&id=033 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0739.html