header-logo
Suggest Exploit
vendor:
PHPtonuke.php
by:
Lebios
7.5
CVSS
HIGH
Script Insertion
79
CWE
Product Name: PHPtonuke.php
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2002

PHPtonuke.php Script Insertion Vulnerability

It is possible for a malicious user to create a link to the phptonuke.php script which contains script code. When an unsuspecting web user browses the link, the script code will be executed in their browser in the context of the PHPNuke site. This type of attack may be used to hijack a legitimate user's session via theft of cookie-based authentication credentials.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/3807/info

phptonuke.php is a PHPNuke AddOn script to insert a PHP script into the middle of a PHPNuke site. It is written and maintained by Lebios.

It is possible for a malicious user to create a link to the phptonuke.php script which contains script code. When an unsuspecting web user browses the link, the script code will be executed in their browser in the context of the PHPNuke site.

This type of attack may be used to hijack a legitimate user's session via theft of cookie-based authentication credentials.

http://phpnukesite/phptonuke.php?filnavn=<script>alert(document.cookie)</script>

Navigation

Suggest Exploit

Services By CQR