PHP-Nuke Cross-Site Scripting Vulnerabilities

Posted on Wednesday, February 16, 2005 @ 12:57:45 UTC in Security
by Raven

crypto writes:  
There have been reported two vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. The vulnerabilities have been reported in version 6.x through 7.6. Other versions may also be affected.

Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.More information:
Secunia - SA14289
 
 
click Related        click Share
 
 

Re: PHP-Nuke Cross-Site Scripting Vulnerabilities (Score: 1)
by chatserv on Wednesday, February 16, 2005 @ 14:15:30 UTC

(User Info | Send a Message) http://www.scriptheaven.net

http://www.nukefixes.com/ftopicp-3901.html#3901
 
 

Re: PHP-Nuke Cross-Site Scripting Vulnerabilities (Score: 1)
by Raven (raven (_AT_) ravenphpscripts (_DOT_) com) on Thursday, February 17, 2005 @ 00:11:30 UTC

(User Info | Send a Message)

A very easy way to protect all your scripts from full path dislosures is to add this line to your .htaccess file:

php_flag display_errors off
Re: PHP-Nuke Cross-Site Scripting Vulnerabilities (Score: 1)
by chatserv on Thursday, February 17, 2005 @ 00:24:01 UTC
(User Info | Send a Message) http://www.scriptheaven.net

I use that by default, better to show a blank page than reveal paths, sadly not everyone does.

Re: PHP-Nuke Cross-Site Scripting Vulnerabilities (Score: 1)
by Raven (raven (_AT_) ravenphpscripts (_DOT_) com) on Thursday, February 17, 2005 @ 00:33:25 UTC
(User Info | Send a Message)

If enough are interested, I will put together a custom error handler to both protect against the disclosure and display a nicely formatted error page instead of a blank.

Re: PHP-Nuke Cross-Site Scripting Vulnerabilities (Score: 1)
by chatserv on Thursday, February 17, 2005 @ 08:57:12 UTC
(User Info | Send a Message) http://www.scriptheaven.net

I say go for it.

Re: PHP-Nuke Cross-Site Scripting Vulnerabilities (Score: 1)
by speedx on Thursday, February 17, 2005 @ 10:31:02 UTC
(User Info | Send a Message) http://www.nukenews.ca.tt

ya do it :)

Re: PHP-Nuke Cross-Site Scripting Vulnerabilities (Score: 1)
by Guardian2003 on Friday, February 18, 2005 @ 03:28:57 UTC
(User Info | Send a Message)

Definitely, do it!

 
News ©

Site Info

Last SeenLast Seen
  • neralex
  • nextgen
Server TrafficServer Traffic
  • Total: 482,307,077
  • Today: 25,342
Server InfoServer Info
  • Apr 18, 2024
  • 05:18 pm UTC
 
 

Site Navigation