Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: sb5965.htm

PHP-Nuke Avatar Code injection vulnerability



3rd Feb 2003 [SBWID-5965]
COMMAND

	PHP-Nuke Avatar Code injection vulnerability

SYSTEMS AFFECTED

	PHP Nuke versionh 6.0 and below

PROBLEM

	Thanks          to           delusion           [delusi0n@bellsouth.net]
	[http://www.digital-delusions.com] advisory :
	
	--snip--
	
	Allows any user to inject their own HTML or  Java  code  instead  of  an
	avatar image. This can lead to very annoying forum posts, and the  usual
	XSS tricks.
	
	 Summary:
	 -------------------------------------------
	
	When users sign up, they are asked to select an avatar from  a  list  of
	available avatars in the website's  /images/forum/avatars  folder.  When
	PHP Nuke inserts  the  image  name  of  the  selected  avatar  into  the
	database, it does not perform any tag or code checks. So therefore if  a
	user gets the site's <form> code and changes the  avatar  <select>
	box into a text box, he can enter  HTML  or  java  code  which  will  be
	entered into the database and displayed wherever the  avatar  is  shown.
	This can lead to very annoying forum posts, and to the theft  of  users'
	cookies using XSS.
	
	 Exploit:
	 -------------------------------------------
	
	After you register on the vulnerable PHP Nuke site, login, then  on  the
	"Your Account" page click "Your Info",  view  source,  then  search  for
	"uid", you should find something like this..
	
	<input type="hidden" name="uid" value="2273">
	
	The number you see for value, is your user id. After you got  your  user
	id, Launch this html code.. (make sure u change http://NUKESITE  to  the
	url of the vulnerable site)
	
	<!-- START CODE --!>
	<form name="Register"
	action="http://NUKEDSITE/modules.php?name=Your_Account" method="post">
	
	<b>Code ('">[code]<b ')</b><input type="text" name="user_avatar" size="30"
	maxlength="30"><br><br>
	
	<b>Username</b><input type="text" name="uname" size="30"
	maxlength="255"><br><b>User ID:<input type="text" name="uid"
	size="30"><input type="hidden" name="op" value="saveuser"><input
	type="submit" value="Save Changes"></form>
	<!-- END CODE --!>
	
	When you launch it, type in your code, which must start  with  `">`.  it
	doesnt matter how it ends, you can put a '<b ' at  the  end,  so  you
	dont get any broken code. Type in your username and user ID, then  click
	submit, and  u  will  be  taken  to  the  "Your  Account"  page  on  the
	vulnerable Nuked site. At this point you  should  be  able  to  see  the
	result of your code. Now anywhere that your  avatar  will  be  used,  it
	will execute the code. ;)
	
	BTW the code you put in can only  be  30  characters  long  due  to  the
	field's specified length in the database.
	
	heres a sample of what u can enter..
	
	"><h1>TESTING</h1><b
	
	That will cause "TESTING" to appear in big letters wherever your  avatar
	is used.
	
	There is a space after "<b" so make sure to put that in,  or  u  will
	get ugly broken code. ;)

SOLUTION

	Get PHP Nuke 6.5


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH