A cross-site scripting vulnerability in the popular PHPNuke web portal system can allow an attacker to gain administrative access to a web site. The problem lies in the Private Messaging module, which does no filtering of scripts in HTML code. An attacker only needs access to his own web space to upload exploit PHP files. He or she can then send a message to the site’s administrator with an embedded script which calls the remote PHP, and transfers the admin’s MD5 hashed password from the PHPNuke cookie. More details and a simple
workaround are provided in Digital Delusion’s advisory; PHPNuke 5.6 is affected but an official patch should be out soon.

(N-Stalker Security Force)