Re: PHP-Nuke v5.6 - Users can compromise admin accts

I already brought light on this issue few months back. I contacted the author through Private Message but never got a reply. The similar issue also exists in Post Nuke (http://www.postnuke.com). See http://www.securitytracker.com/alerts/2002/Mar/1003781.html and http://packetstorm.decept

RE: PHP-Nuke v5.6 - Users can compromise admin accts.

etween the <, optional /, tag name, and >. -MightyE www.mightye.org -Original Message- From: <-delusion-> [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 15, 2002 9:16 PM To: [EMAIL PROTECTED] Subject: Re: PHP-Nuke v5.6 - Users can compromise admin accts. Jelmer's accusati

Re: PHP-Nuke v5.6 - Users can compromise admin accts.

On Thu, 2002-08-15 at 21:16, <-delusion-> wrote: > Jelmer's accusation that my proposed fix is flawed is wrong. He demonstrates > a code that uses the tag, if you look at my solution: > > $message = strip_tags($message, ''); > > > The tag is not allowed. Only the tags are allowed. I did > ta

Re: PHP-Nuke v5.6 - Users can compromise admin accts.

gt; > -- > > jelmer > > > > ----- Original Message ----- > > From: "<-delusion->" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > Sent: Thursday, August 15, 2002 10:30 AM > > Subject: PHP-Nuke v

Re: PHP-Nuke v5.6 - Users can compromise admin accts.

Thursday, August 15, 2002 10:30 AM Subject: PHP-Nuke v5.6 - Users can compromise admin accts. > Tested on PHP-Nuke v5.6 with Mozilla on Linux > (should work on past versions and on most browsers) > > Impact: > - > Al

PHP-Nuke v5.6 - Users can compromise admin accts.

Tested on PHP-Nuke v5.6 with Mozilla on Linux (should work on past versions and on most browsers) Impact: - Allows any user to get admin access to a PHP-Nuke site. Summary: -- Due to a XSS flaw in PHPNuke