-------

Product: PHP-Nuke

Vendor: Francisco Burci

Versions Vulnerable: 

6.0 without patches , 

6.0 with index.php and mainfile.php patches. 

5.5 with patches ( all resting script tags)

No vulnerable: 

6.0 with mainfile.php patch for block url tags inclusions ( not all ).

5.5 with script tags but with the other all.

------

DESCRIPTION:

------

i'm working now in nuke based portals , searching modules that use an URL 

based query i found in the Statistics module some bugs:

when you put a string in the url behind the &year variable the module 

prints you the character that you put.

i probe iframe and works , script tags works , object works,applet 

works,meta works,style works,form works too,img works,comments and ssi 

works.

--------

SOLUTION:

--------

Put this code in your mainfile.php :

/*

foreach ($HTTP_GET_VARS as $secvalue) {

    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||

	(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||

	(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||

	(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||

	(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||

	(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||

	(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||

	(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||

	(eregi("\"", $secvalue))) {

	die ("Oh! .");

    }

}

*/

NOTE: Remove comment /* and */.

-----

WHAT CAN BE HAPPEN?

-----

Script and binary objects inclusion. Normally it isn't a problem but 

there are many viruses written in vbscript and javascript/JS . Iframe can 

be used for a link that an user visits and there is and attack to the 

user trough known iframe vulns.

With the code that i provide your'e sure by this little bug.

-----

CONTACT INFO :

---------------------------------------

Lorenzo Manuel Hernandez Garcia-Hierro

--- Computer Security Analyzer ---

--www.novappc.com --

PGP: Keyfingerprint

B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2

ID: 0x9C38E1D7

**********************************