PHP-Nuke AddOn PHPToNuke.php 1.0 - Cross-Site Scripting

EDB-ID:

21206


Author:

frog

Type:

webapps


Platform:

PHP

Date:

2002-01-06


source: https://www.securityfocus.com/bid/3807/info

phptonuke.php is a PHPNuke AddOn script to insert a PHP script into the middle of a PHPNuke site. It is written and maintained by Lebios.

It is possible for a malicious user to create a link to the phptonuke.php script which contains script code. When an unsuspecting web user browses the link, the script code will be executed in their browser in the context of the PHPNuke site.

This type of attack may be used to hijack a legitimate user's session via theft of cookie-based authentication credentials.

http://phpnukesite/phptonuke.php?filnavn=<script>alert(document.cookie)</script>