admin
06-27-2005, 11:45 PM
PHP-Nuke
http://www.phpnuke.org
06-27-2005
http://secunia.com/advisories/15829/
Description:
FJLJ has reported a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct script insertion attacks.
Input passed to the "Link to off-site Avatar" field isn't properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed.
Successful exploitation requires that the "Enable remote avatars" setting is enabled (disabled by default).
Solution:
Edit the source code to ensure that input is properly sanitised.
Disable the "Enable remote avatars" setting.
http://www.phpnuke.org
06-27-2005
http://secunia.com/advisories/15829/
Description:
FJLJ has reported a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct script insertion attacks.
Input passed to the "Link to off-site Avatar" field isn't properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed.
Successful exploitation requires that the "Enable remote avatars" setting is enabled (disabled by default).
Solution:
Edit the source code to ensure that input is properly sanitised.
Disable the "Enable remote avatars" setting.