PHP Nuke Nederland
  
•   Home  •  Downloads  •  Your Account  •  Forums  •
Navigation
 Home
· Search
· Recommend Us
· Feedback
· Top 10
· Web Links
· Statistics
 News
· Topics
· Stories Archive
· Submit News
 Members
· Your Account
· Private Messages
· Members List
 Downloads
· Downloads
· Most popular
 Forum
· Forums
· Forum Search
· Forum FAQ
· Forum Rules
 Documentation
 Site Info
· Legal Notices
· Disclaimer
· Privacy
· Terms of Use
Languages
Kies interface taal:

Dutch English
Sentinel
· 67.48.118.*
· 190.56.164.*
· 70.26.145.*
· 70.63.214.*
· 97.78.5.*
· 71.81.120.*
· 216.246.60.*
· 71.109.164.*
· 70.49.11.*
· 76.65.100.*
NukeSentinel(tm)
Caught by Sentinel
You have been warned!
We have caught 1401 shameful hackers.
NukeSentinel(tm)
Kalender
<< december 2008 >>

z m d w d v z
  123456
78910111213
14151617181920
21222324252627
28293031     

Security: PHP-Nuke Personal Menu Script Insertion and SQL Injection
SecurityBron: Secunia.com

Twee exploits in de Your Account module:
Jason Lau has discovered two vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection and script insertion attacks.

1) Input passed to the "ublock" parameter in the "Your_Home" functionality of the "Your_Account" module isn't properly sanitised before being saved as the user's personal menu. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site when the user views his personal menu.

Example:
< img src=javascript:[code]>
(requires the Microsoft Internet Explorer browser)

2) Input passed to the "user_id" parameter in the "Your_Home" functionality of the "Your_Account" module isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can be further exploited with vulnerability #1 to inject arbitrary HTML and script code into arbitrary user's personal menu.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

The vulnerabilities have been confirmed in version 7.8. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.


Gebruikers van NukeSentinel zijn beveiligd tegen deze exploit!
Geplaatst op Donderdag 23 februari 2006 door BlueLion
 
Gerelateerde links
· Meer over Security
· Berichten door BlueLion
Meest gelezen bericht in de categorie Security:
Nuke Sentinel 2.0.2
Waardering
Gemiddeld: 0
Stemmen: 0

Bericht waarderen:

Uitstekend
Zeer Goed
Goed
Gewoon
Slecht
Opties

 Printervriendelijke pagina Printervriendelijke pagina

Web site powered by PHP-Nuke

All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2004-2008 by BlueLion.
SEO enhanced with the Sitemapper script
You can syndicate our news using the file backend.php or ultramode.txt
Powered by PHP Powered by MySQL Apache Webserver Valid robots.txt
PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Pagina rendering: 0.10 seconden


[Valid News RSS]

RSS Feeds:
[RSS 2.0 News Feed]
[RSS 2.0 Download Feed]
[RSS 2.0 Forum Feed]
[RSS 2.0 Link Feed]
:: fisubsilver shadow phpbb2 style by Daz :: PHP-Nuke theme by BlueLion ::