Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: PHP :: bt407.txt

Cross site scripting in Post-Nuke

Issue :

Cross site scripting in Post-Nuke

Version affected :

Post Nuke

Description :

Post-Nuke is a content management system that allow
you to deploy a website easily . Its developers claim
that their product is more secure than competitors .

I found three places when a script can be injected to
be executed in the context of the webpage , making possible
to steal user cookies and hijack their sessions .

Solution :

Althoug I am not a php developer , I think filtering of all not
alfanumeric characters is needed , not just filtering script
tags passed to vars in the url .


You can find a spanish version of this advisory at

Regards ,

David F. Madrid ,
Madrid , Spain

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH