Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: web5749.htm

Multiple XSS Vulns in PHPNuke



15th Oct 2002 [SBWID-5749]
COMMAND

	Multiple XSS vulnerabilites in PHPNuke

SYSTEMS AFFECTED

	PHPNuke 6.0

PROBLEM

	Thanks    to    vulnerabilities    discovered    by    Bruno    Morisson
	[morisson@genhex.org] and Pedro  Inacio  [pedro.inacio@ptnix.com],  they
	say :
	

	We  have  found  7  diferent  cross-site-scripting  vulnerabilities   in
	PHPNuke 6.0 which allow for anyone to steal the  authentication  cookies
	from users and Administrators. Some of  them  include  several  ways  to
	insert scripting into the site, so they're  quite  a  few  more  than  7
	(actually 22 input boxes). Most of them are *VERY CRITICAL*  since  they
	are totally directed to the Administrators, unless they view the  source
	of the HTML page carefully.
	

	 1] RDF/RSS Parser (Risk: medium)

	

	PHP-Nuke's rdf/rss parser doesn't  strip  html  tags  when  parsing  RSS
	files. The <title> tag isn't stripped, so if it  contains  any  valid
	HTML or scripting, the user's browser will run the script.
	

	As a proof of concept, go to your account on a  php-nuke  site,  and  on
	your prefered site just put some URL with an rdf file with an item  like
	this one:
	 

	<item rdf:about="http://www.somesite.dom">

	<title><script>alert('cookie: '+ document.cookie)</script></title>

	<link>http://www.somesite.dom/>

	<description>Puke It</description>

	</item>

	

	We     have     one     rdf     file     like      that      one      at
	http://www.genhex.org/php-puke.rdf
	

	

	 2] Private Messages (Risk: critical)

	

	Private messages module allows for html in the body. although it  strips
	<script> tags, it allows for events on <a href>  tags.  hence,  on
	the message body just write:
	 

	<a href="X" onmouseover="alert(document.cookie">x</a>

	

	I leave up to your imagination more interesting ways to explore this.
	

	

	 3] Journal (Risk: critical)

	

	The  journal  doesn't  strip  html  tags.   period.   Put   "<script>
	alert(document.cookie)</script>" somewhere (in the title  for  better
	effect :)) and when someone goes to see your journal,  the  script  will
	be run.
	

	

	 4] Your Info (Risk: critical)

	

	Most fields on the "Your Info" section of  don't  strip  html  tags,  or
	don't correctly validate input.
	

	On Your HomePage, you can put an  URL  to  some  site.  PHPNuke  doesn't
	correcty validate the data.  You  can  do  some  "HTML  Injection",  for
	instance, insert as your URL:
	 

	http://x/" onmouseover="alert(document.cookie)

	

	PHPNuke will turn this into: <a href="http://x/" onmouseover="alert(document.cookie)">http://x/" onmouseover="alert(document.cookie)</a>

	

	It's not very stealthy, but most users will  probably  put  their  mouse
	over it anyway. You must keep  the  URL  as  small  as  possible,  since
	phpnuke will truncate the URL, thus it will not work.
	

	The next fields don't strip tags:
	 

	Real Name

	Fake Email

	Your Location

	Your Interests

	Your Occupation

	Signature

	

	These  ones  allow  for  <script>  tags,  thus  turning  the   attack
	completely transparent to the victim.
	

	The "real name"  and  "fake  email"  fields  are  even  more  dangerous,
	because if someone lists the users, the script  will  be  executed.  All
	the others require the victim to go to the attacker's info page.
	

	

	 5] Search (Risk: Low)

	

	This is a low risk CSS bug, since as far as we could tell the user  must
	put the script himself on the search  field.  Anyway,  the  box  doesn't
	correctly strips the query string, altough it does if it is submited  as
	a GET request...
	

	

	 6] Downloads (Risk: Critical)

	

	This module accepts <a href> events  in  the  fields:  Program  Name,
	File Link, Author's Name, Author's Email, and Homepage.
	

	Any user that can submit a download can insert some javascript in  those
	fields. When an Admin goes to  check  the  download,  depending  on  the
	event,  javascript  will  be  executed.  Most  fields  will  look   very
	suspitious, except for File Link. File Link will look perfectly  normal.
	If the Admin puts his mouse over the link (or other event)  by  accident
	(or on purpose), you can steal his cookie.
	 

	

	 7] Web Links (Risk: Critical)

	

	Exactly the same as the Downloads module.
	

	

SOLUTION

	?
	

	 Workaround

	 ==========

	

	The obvious workaround to most of the  bugs  is  to  use  "strip_tags()"
	everywhere.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH