 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 93
 Members: 0
 Total: 93
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
new exploit: $content |
|
 Posted: Sun Jul 11, 2004 3:54 pm |
 |
|
| genoxide |
| Regular user |
 |
|
| Joined: Jun 14, 2004 |
| Posts: 15 |
|
|
|
 |
|
 |
|
I was working on my new project and i found that the $content var in several blocks doesn't get parse correctly.
what i mean?
Open block-Survey.php and you will see:
| Code: | $content .= "<form action=\"modules.php?name=Surveys\" method=\"post\">";
$content .= "<input type=\"hidden\" name=\"pollID\" value=\"".$pollID."\">";
$content .= "<input type=\"hidden\" name=\"forwarder\" value=\"".$url."\">"; |
You see the dot (.) after $content? thats wrong, it should be
| Code: | $content = "<form action=\"modules.php?name=Surveys\" method=\"post\">";
$content .= "<input type=\"hidden\" name=\"pollID\" value=\"".$pollID."\">";
$content .= "<input type=\"hidden\" name=\"forwarder\" value=\"".$url."\">"; |
Proof?
 |
|
|
|
|
|
|
|
|
| Posted: Sun Jul 11, 2004 8:47 pm |
|
|
| SteX |
| Advanced user |
 |
|
| Joined: May 18, 2004 |
| Posts: 181 |
| Location: Serbia |
|
|
|
|
|
|
| good work genoxide...i also found some exploits on nukecops..i will post tham later..!!! |
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
| Posted: Mon Jul 12, 2004 5:37 pm |
|
|
| madman |
| Active user |
 |
|
| Joined: May 24, 2004 |
| Posts: 46 |
|
|
|
|
|
|
|
|
_________________
ch88rs,
madman |
|
|
|
| Posted: Tue Jul 13, 2004 4:08 pm |
|
|
| genoxide |
| Regular user |
|
|
| Joined: Jun 14, 2004 |
| Posts: 15 |
|
|
|
|
|
|
|
| Even if it's a local variable, it still can be used for XSS |
|
|
|
|
| Posted: Tue Jul 13, 2004 8:38 pm |
|
|
| madman |
| Active user |
|
|
| Joined: May 24, 2004 |
| Posts: 46 |
|
|
|
|
|
|
|
| genoxide wrote: | | Even if it's a local variable, it still can be used for XSS |
Hmmm...
It doesn't make sense to me. 
First, unitialized $content only appeared in few standard blocks and can simply overriden by next block. Second, How do you XSS such thing? Hook your XSS code to blocks() function? Creating another block?
Please tell me, 'coz you're the "founder" of this "exploit".  |
|
_________________
ch88rs,
madman |
|
|
|
| Posted: Tue Jul 13, 2004 9:05 pm |
|
|
| genoxide |
| Regular user |
|
|
| Joined: Jun 14, 2004 |
| Posts: 15 |
|
|
|
|
|
|
|
No need for irony, heh
try this on a non patched phpnuke site index.php?content=%253cscript>alert%2528document.cookie);%253c/script>
You will see that you are getting the cookies in a js alert |
|
|
|
|
| Posted: Wed Jul 14, 2004 4:05 pm |
|
|
| Jeruvy |
| Regular user |
 |
|
| Joined: Jun 17, 2004 |
| Posts: 6 |
|
|
|
|
|
|
|
| genoxide wrote: | | Even if it's a local variable, it still can be used for XSS |
Call me skeptical but I'd like to see a PoC.
Thanks, |
|
|
|
|
| Posted: Fri Jul 16, 2004 3:50 am |
|
|
| madman |
| Active user |
|
|
| Joined: May 24, 2004 |
| Posts: 46 |
|
|
|
|
|
|
|
Genoxide. well done, m8. 
The problem is, the string displayed as is in survey. Yeah it displayed as "%253cscript>alert%2528document.cookie);%253c/script" no matter I tried to modify the hex or change php settings. I tried this in both local and remote server. Maybe I need to setup some Apache settings to accept uri hex.  |
|
_________________
ch88rs,
madman |
|
|
|
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
