PHP-Nuke Encyclopedia Module Multiple Function XSS

OSVDB ID: 6998
Disclosure Date: Jun 11, 2004


Description:
PHP-Nuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate ltr, eid, and query variables upon submission to the Encyclopedia module. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.



Vulnerability Classification:
Remote/Network Access Required
Input Manipulation
Loss Of Integrity
Exploit Available
Web Related


Products:
Francisco Burzi PHP-Nuke 6.x

Francisco Burzi PHP-Nuke 7.3



Solution:
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.



Manual Testing Notes:
http://[victim]/nuke73/modules.php?name=Encyclopedia&op=terms&eid=1<r=[XSS CODE]

http://[victim]/nuke73/modules.php?name=Encyclopedia&file=search&eid=[XSS CODE]

http://[victim]/nuke73/modules.php?name=Encyclopedia&file=search&query=f00bar&eid=[XSS CODE]

http://[victim]/nuke73/modules.php?name=Encyclopedia&op=content&tid=774&page=2&query=[XSS CODE]





External References:

CVE ID: 2004-2293
National Vulnerability Database: CVE-2005-1023
CVE ID: 2005-1023
Bugtraq ID: 10524
Related OSVDB ID: 6997
Related OSVDB ID: 6999
Related OSVDB ID: 7000
Related OSVDB ID: 7001
Related OSVDB ID: 7002
Related OSVDB ID: 7003
ISS X-Force ID: 16406
Secunia Advisory ID: 11852
Other Advisory URL: http://www.waraxe.us/index.php?modname=sa&id=32
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0038.html
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0310.html


Credit:

Janek Vind "waraxe" - Personal Page