Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: tb11878.htm

PHP-Nuke (ALL versions) Multiple XSS and HTML injection



PHP-Nuke (ALL versions) Multiple XSS and HTML injection
PHP-Nuke (ALL versions) Multiple XSS and HTML injection



PHP-Nuke ALL versions Search Module multiple XSS and HTML injection
-------------------------------------------------------------------

The well-known PHP-Nuke CMS is vulnerable to multiple XSS attacks and HTML injections through the Search Module.

The request is made using POST, but the whole process can be automatized creating an ad-hoc page to send to the victim with an auto-submitting forum using POST as method and the vulnerable URL (http://vulnsite.com/modules.php?name=Search) as ACTION. 

Both the XSS and the HTML injection work on IE 6/7 and Firefox (ALL versions), with every server and php.ini configuration.

You may use the following queries for testing.

*XSS*:

src=http://www.microsoft.com/404.jpg style=display:none onerror=XSS_HERE < 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH