| VID |
21248 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PostNuke installed on the Web server is vulnerable to a Cross-Site Scripting attack via 'user.php' or 'modules.php'.
PostNuke is a content management system with a MySQL database. This attack uses the flaw that arises due to insufficiently handling the string supplied via URI parameters. By sending a malicious URL link to the modules.php or user.php script containing embedded script in the "?op" variable, a remote attacker can lead the embedded script to be executed in a web client browser. Exploiting this vulnerability, a remote attacker can steal the victim's cookie-based authentication credentials or hijack web content. You can test this vulnerability for an affected server, as listed below:
http://www.server.com/user.php?op=confirmnewuser&module=NS-NewUser&uname=%22%3E%3Cimg%20src=%22javascript:alert(document.cookie);%22%3E&email=lucas@pelucas.com
http://www.server.com/modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id_cat=1&categories=%3Cimg%20src=javascript:alert(document.cookie);%3E&parent_id=0
http://www.server.com/modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index
* References:
http://www.securityfocus.com/archive/1/325069
* Platforms Affected:
PostNuke Phoenix 0.7.2.3
UNIX/Linux Any version
Windows Any version |
| Recommendation |
No patch for this vulnerability as of June 2003.
As a workaround, the following unofficial workaround has been provided by David F. Madrid:
$good_var=eregi_replace("[^a-z0-9]+)and([^a-z0-9]+)","0",$var); |
| Related URL |
(CVE) |
| Related URL |
7898,7901 (SecurityFocus) |
| Related URL |
12291,12292 (ISS) |
|
