COMMAND

	Many scripting language IMG tag XSS vulnerability

SYSTEMS AFFECTED

	 Xoops RC3.0.4

	 PHP-Nuke 6.0

	 NPDS 4.8 SuperCache

	 daCode 1.2.0

	 Drupal 4.0.0

	 phpWebSite 0.8.3

PROBLEM

	In David Suzanne (aka dAs) [das@echu.org] advisory :
	

	 http://www.echu.org/modules/news/article.php?storyid=97

	

	After  having  sent  ECHU  alert  on   "Xoops   RC3   script   injection
	vulnerability"
	(http://www.echu.org/modules/news/article.php?storyid=95),   I   realize
	that it's not  a  XOOPS  problem  (Kazumi  Ono,  XOOPS  Developper,  and
	Jan304, XOOPS Dutch Support, confirmed this) but a html problem that  is
	hard to fix and can be misuse in almost every cms.
	

	The problem appears when a user post a news, a vulnerability  exists  in
	these CMS that allow a typical IMG attack against visitors :
	

	<IMG SRC="javascript:alert('unsecure')"> 

	

	In order to test this vulnerability, you can go  on  websites  that  use
	these CMS, post a news with this code and see the result.
	

	A badly disposed member can propose a  news  containing  code  (for  une
	news containing code sample of a new vulnerability for example)  and  if
	webmasters or moderators don't take care, they will approve the news.

SOLUTION

	There's no secure release of these CMS, so the unique  solution  is,  at
	this moment, to disable Html, in each news post, to avoid  the  problem.
	The "removehack" from NPDS doesn't fix the problem  even  if  NPDS  team
	tell it does.
	

	 Links

	 =====

	

	XOOPS: http://www.xoops.org

	PHP-NUKE: http://www.php-nuke.org

	NPDS: http://www.npds.org

	daCode: http://www.dacode.org

	Drupal: http://www.drupal.org

	phpWebSite: http://phpwebsite.appstate.edu

	Blocus Advisory on NPDS: http://www.blocus-zone.com/modules/news/article.php?storyid=132