Cenzic 232 Patent
Paid Advertising
web application security lab

PHP-Nuke XSS vulnerability

No sooner had I written the words PHP-Nuke in my last post an XSS vulnerability popped up in it. This post shows that the input parameters are not properly sanitized. This is a pretty common issue, although I really never talk about it on my XSS page, but it happens regularly that you are “trapped” within quotes. Luny had this happen to him in a different way where he was outside of quotes but wasn’t allowed to use them because they were escaped on this post about the E-Dating System XSS exploit.

This is really not that complicated to get out of, but it does require some ingenuity. This exact thing happened to me when I was “auditing” my girlfriend’s website when we were first getting together. She had a pretty crappy PHP script she had built from scratch to make a graffiti board and had thought ahead and had attempted to stop XSS by escaping quotes. Well it was pretty trivial to do something like use stringfromcharcode or escape the escapes, etc. Ultimately this is very weak prevension and people should stay away from it. Actually as a general rule of thumb you should stay away from anything that attempts to sanitize output because that usually just changes the attack vector rather than fixing it outright.

/RSnake

2 Responses to “PHP-Nuke XSS vulnerability”

  1. Luny Says:

    Good post, i’m not surprised php-nuke has another vulnerability tho, hehe.

  2. Tontonq Says:

    you may try >iframe src=javascript:alert();> too