This one was found by me and is currently awating moderation on bugtraq


Affected Versions:

PHP-Nuke 6.0 [ possibly others ]

-----------------------
Tested With:

Netscape 7.0
Mozilla 1.01 -->partial testing
IE 5.5

--------------------------
Discussion:

There is another XSS vulnerability in the popular Nuke software this one being 6.0 and possibly other versions. A recent one has been reported within the search feild of the topics but this one resides in the search feild of Web Links

Depending on what browser you are using you will get different results:

1. "<script>alert('Testing')</script>"

Netscape 7.0 -

With netscape it will pop up a box that says testing and when you close it it just opens again. This is done several times and then it closes. Also the links below [ ie google, hotbot and some others ] The links are still links but they show some of the source of the page. Also as I said the test box comes up it appears to be for each one of these search options. It loads them one at a time and for each one it brings up the testing box.

Internet Explorer 5.5 -

This just brings up one box and when you close it is gone. Links still show some source

Mozilla --

Not tested but expect same results



2. ""

Netscape:

Again this just messes up the links so they show some of the source but they still are links

IE 5.5

This actually attempts to show the pic but unsucessful , just puts the little box with a red x threw it on the page. Links are also all wacky

Mozilla

The picture will actually show with mozilla. Uncertain as to how the links look. had friend with mozilla check and all he said was it did show the pic

------------
Proof -

You can go to any site with PHP-NUke 6 and go to their weblink section and try it out. Or you can go to www.ersatz-crew.org and try it there. Feal free to check older version of nuke and possiby post nuke but i cannot garantee that they exist there




As i said this was submitted by me allready, First submission so I am a bit exited. Just thought I would post it here for you all as well as a heads up or for something to discuss