PHP-Nuke PhotoADay Module Input Validation Error Variable XSS

2004-08-21T00:00:00
ID OSVDB:9161
Type osvdb
Reporter King Of Love(leavesky@hotmail.com)
Modified 2004-08-21T00:00:00

Description

Vulnerability Description

The 'PhotoADay' module for PHP-Nuke contains an input validation flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the pad_selected variable submitted to the PhotoADay script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. The vendor has been contacted. It is possible to correct the flaw by implementing the following workaround(s):

Modify the code: unset($matches); unset($loc); if (preg_match("/([OdWo5NIbpuU4V2iJT0n]) /", rawurldecode($loc=$_SERVER["QUERY_STRING"]), $matches)) { die("YOU ARE SLAPPED BY <a href=\"http://nukecops.com\">NUKECOPS</a> BY USING '$matches[1]' INSIDE '$loc'."); }

to use strip_tags() like this:

unset($matches); unset($loc); if (preg_match("/([OdWo5NIbpuU4V2iJT0n]) /", rawurldecode($loc=strip_tags($_SERVER["QUERY_STRING"])), $matches)) { die("YOU ARE SLAPPED BY <a href=\"http://nukecops.com\">NUKECOPS</a> BY USING '$matches[1]' INSIDE '$loc'."); }

Alternativley disable use of the PhotoADay module.

Short Description

The 'PhotoADay' module for PHP-Nuke contains an input validation flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the pad_selected variable submitted to the PhotoADay script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[victim]/modules.php?name=Photo_A_Day&action=single&pad_selected=44%20UNION%20SELECT%20< script>alert(document.cookie);</script>

References:

Vendor URL: http://www.photoaday.net/ Security Tracker: 1011027 Other Advisory URL: http://esikker.dk/vuls.php?action=14357 Nessus Plugin ID:14357 Keyword: PHP-Nuke module Bugtraq ID: 11009