Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bypass XSS filter in PHPNUKE 7.9=>x

From: Paul Laudanski <zx () castlecops com>
Date: Fri, 16 Dec 2005 20:21:07 -0500 (EST)
On 14 Dec 2005 max () jestsuper pl wrote:


[Bypass XSS filter in PHPNUKE 7.9=>x cXIb8O3.21]

2.0 http://[HOST]/[DIR]/modules.php?name=Search

Insert:

<iframe src=http://securityreason.com?phpnuke79 <

And have you xss.

2.1 http://[HOST]/[DIR]/modules.php?name=Web_Links

Insert:

<iframe src=http://securityreason.com?phpnuke79 <

      foreach ($_POST as $secvalue) {
              if ((eregi("<[^>]*iframe*\"?[^>]*", $secvalue)) ||
              (eregi("<[^>]*object*\"?[^>]*", $secvalue)) ||
              (eregi("<[^>]*applet*\"?[^>]*", $secvalue)) ||
              (eregi("<[^>]*meta*\"?[^>]*", $secvalue)) ||
              (eregi("<[^>]*form*\"?[^>]*", $secvalue)) ||
              (eregi("<[^>]*img*\"?[^>]*", $secvalue)) ||
              (eregi("<[^>]*onmouseover*\"?[^>]*", $secvalue)) ||
              (eregi("<[^>]script*\"?[^>]*", $secvalue)) ||
              (eregi("<[^>]*body*\"?[^>]*", $secvalue)) ||
              (eregi("<[^>]style*\"?[^>]*", $secvalue))) 
              {
                      die ($htmltags);
              }
      }

thx nukefixes.com


- --- 4. Greets ---

sp3x, nukefixes.com
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com


Thanks for the information but the filtering doesn't make any sense.  Any 
data that is accepted is to be considered tainted and dealt with 
appropriately.  This doesn't apply to just Web_Links or Search modules, 
but also other modules such as Forums.

If I take your exact example code:

<iframe src=http://securityreason.com?phpnuke79 <

And post it to a forum post in a [CODE][/CODE] block to discuss, I'll be 
thrown an exception per your code because it'll be caught by your HTTP 
POST filtering.  

What you need to do is use htmlentities or htmlspecialchar to sanitize 
data before it's displayed to the user.  Your "fix" will easily break many 
sites that are focused on programming discussions.  Its important to know 
how to "filter" input properly.

One other problem is you are removing the stock filters from being called 
upon if ADMIN_FILE is defined.  Problem here is if the admin's account 
gets hijacked, there is no code to prevent admin from instantiating a 
malformed request or post.  XSS, CRSF, you name it...

-- 
Paul Laudanski, Microsoft MVP Windows-Security
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com
Previous By Date Next
Previous By Thread Next

Current thread: