Jump to content
xisto Community
Sign in to follow this  
iGuest

PHP-Nuke Cross-Site Scripting Vulnerabilities, Alert

Recommended Posts

Janek Vind "waraxe" has reported two vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks.

 

Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

 

Example:

http://forums.xisto.com/no_longer_exists/]'>http://forums.xisto.com/no_longer_exists/]

http://forums.xisto.com/no_longer_exists/]'>http://forums.xisto.com/no_longer_exists/]

 

It has also been reported that the full path to some scripts can be disclosed.

 

Example:

http://forums.xisto.com/no_longer_exists/

http://forums.xisto.com/no_longer_exists/

http://forums.xisto.com/no_longer_exists/

http://forums.xisto.com/no_longer_exists/

 

The vulnerabilities have been reported in version 6.x through 7.6. Other versions may also be affected.

 

Solution:

Edit the source code to ensure that input is properly sanitised. Production systems should not return error messages to clients.

 

Provided and/or discovered by:

Janek Vind "waraxe"

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.