27th Jan 2003 [SBWID-5953]
COMMAND
	Multiple Cross Site Scripting Vulnerabilities in Nuked-Klan
SYSTEMS AFFECTED
	Nuked-Klan beta 1.2 and prior
PROBLEM
	Grégory  Le  Bras  aka  GaLiaRePt   [http://www.Security-Corp.org],   in
	Security Corporation Security Advisory [SCSA-003] :
	
	 http://www.security-corp.org/index.php?ink=4-15-1
	 French Version : http://www.security-corp.org/advisories/SCSA-003-FR.txt
	
	
	DETAILS & EXPLOITS
	________________________________________________________________________
	
	Many Cross-Site Scripting vulnerabilities have been found in Nuked  Klan
	which allow attackers to inject script codes into the page and use  them
	on clients browser as if they were provided by the site.
	These Cross-Site Scripting vulnerabilities are found  in  the  following
	modules : Guestbook, Forum, Shoutbox.
	An attacker can input specially crafted  links  and/or  other  malicious
	scripts.
	
	Guestbook
	________________________________________________________________________
	
	A vulnerability was discovered in the  page  for  posting  messages,  at
	this adress :
	
	http://[target]/index.php?file=Guestbook&req=post_book
	
	The vulnerability is at the level of the interpretation of the  "Author"
	field.
	Indeed, the insertion of a hostile code script in this  field  makes  it
	possible to a malicious user to carry out this script on  the  navigator
	of the visitors.
	The hostile code could be :
	
	[script]alert("Cookie="+document.cookie)[/script]
	
	(open a window with the cookie of the visitor.)
	(replace [] by <>)
	
	Forum
	________________________________________________________________________
	
	A vulnerability was discovered in the page for posting new  messages  in
	the forum, at this adress :
	
	http://[target]/index.php?file=Forum&op=post_screen&forum_id=0
	
	The vulnerability is at the level of the interpretation of  the  "Titre"
	and "Pseudo" field.
	Indeed, the insertion of a hostile code script in this  field  makes  it
	possible to a malicious user to carry out this script on  the  navigator
	of the visitors.
	The hostile code could be :
	
	[script]alert("Cookie="+document.cookie)[/script]
	
	(open a window with the cookie of the visitor.)
	(replace [] by <>)
	
	Shoutbox
	________________________________________________________________________
	
	A vulnerability was discovered in the page for posting messages  in  "La
	Tribune Libre".
	Indeed, the insertion of a hostile code script in this  field  makes  it
	possible to a malicious user to carry out this script on  the  navigator
	of the visitors.
	The hostile code could be :
	
	[script]alert("Cookie="+document.cookie)[/script]
	
	(open a window with the cookie of the visitor.)
	(replace [] by <>)
	
	-------Vulnerable line in submit.php--------
	$shout = str_replace("|","",$SB_text);
	--------------------------------------------
	
	Possible solutions: modify the code in order to  analyze  the  whole  of
	the text sent by the user and to replace the hostile elements.
	
	---------------Code example-----------------
	<?
	$SB_text = str_replace("<", "[", $SB_text);
	$SB_text = str_replace(">", "]", $SB_text);
	$SB_text = htmlentities($SB_text);
	$shout = str_replace("|","",$SB_text);
	?>
	--------------------------------------------
	
SOLUTION
	Upgrade your version to beta 1.3
	 Upgrade Guestbook with the appropriate patch :
	
	 http://tomysnockers.net/download/Guestbook.rar
	
	Upgrade Shoutbox with the appropriate patch :
	
	 http://www.nuked-klan.org/files/Shoutbox_13.zip