PHP-Nuke GBook Module HTML Injection Vulnerability
BID:9559
Info
PHP-Nuke GBook Module HTML Injection Vulnerability
| Bugtraq ID: | 9559 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 03 2004 12:00AM |
| Updated: | Feb 03 2004 12:00AM |
| Credit: | The disclosure of this issue has been credited to Janek Vind "waraxe" <[email protected]>. |
| Vulnerable: |
gBook gBook 1.4 gBook gBook |
| Not Vulnerable: | |
Discussion
PHP-Nuke GBook Module HTML Injection Vulnerability
It has been reported that the GBook module for PHP-Nuke may be prone to a HTML injection vulnerability that may allow a remote attacker to carry out HTML injection attacks in order to steal sensitive data such as authentication credentials. Due to insufficient sanitization of user-supplied data, various parameters passed to the GBook module are vulnerable to HTML injection. Some of the affected parameters include 'name', 'email', 'city', and 'message'.
Gbook script for PHP-Nuke version 1.0 has been tested for this issue, however, it is likely that other versions of PHP-Nuke are vulnerable as well.
It has been reported that the GBook module for PHP-Nuke may be prone to a HTML injection vulnerability that may allow a remote attacker to carry out HTML injection attacks in order to steal sensitive data such as authentication credentials. Due to insufficient sanitization of user-supplied data, various parameters passed to the GBook module are vulnerable to HTML injection. Some of the affected parameters include 'name', 'email', 'city', and 'message'.
Gbook script for PHP-Nuke version 1.0 has been tested for this issue, however, it is likely that other versions of PHP-Nuke are vulnerable as well.
Exploit / POC
PHP-Nuke GBook Module HTML Injection Vulnerability
No exploit is required.
No exploit is required.
Solution / Fix
PHP-Nuke GBook Module HTML Injection Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
PHP-Nuke GBook Module HTML Injection Vulnerability
References:
References:
- PHPNuke INP Homepage (PHPNuke INP)
- [waraxe-2004-SA#001] - Script injection in GBook for Php-Nuke ver. 1.0 (Janek Vind
)