Php-nuke Security Check Can By Bypassed

Full Version: Php-nuke Security Check Can By Bypassed

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Jun 2 2004, 12:56 AM

QUOTE

PHP-Nuke Security Check Can By Bypassed Letting Remote Users Determine Installation Path

Advisory: 2004-Nuke-001
Affected Software: PHPNuke
Affected Versions: Version 7.3 and earlier
Main Developer: Francisco Burzi (http://www.phpnuke.org/)
Module Developers: See credits section below

Description:
-----------

PhpNuke is a very popular open source portal software for building dynamic
websites. It is a fork of Thatware and has been under active development
since mid-2000. Over the years, PhpNuke itself has spawned a number of
software forks.

Vulnerability:
-------------

In an effort to secure files from being directly accessed by outside visitors,
PhpNuke's core, module, and patch developers added a simple security checking
mechanism. If the checker evaluates to false, the remaining code inside the
file is executed. If it evaluates to true, the script aborts or the visitor
is redirected to another page.

The process consists of capturing the currently executing script's path and
filename with the global variable $_SERVER['PHP_SELF']. Using PHP's built-in
function eregi(), this value is then compared against the script's name
which should be the sole access point.

Example:
if (!eregi("admin.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }

In this example, a file with the above snippet will continue executing if
it was accessed by another file containing the letters "admin.php" (without
quotes) otherwise the script aborts returning the words "Access Denied".

Using eregi() with the NOT logical operator as done by PhpNuke's developers
is a very poor way to control file access because anyone can easily
manipulate a URL and add the missing component thereby forcing the security
check to always evaluate to false and gain unfettered entry.

Exploitation Example:
---------------------

http://www.domain.com/admin/case/case.admi...php?op=FaqCatGo

Impact:
------

In the majority of cases here, exploition of this vulnerability will display
full path disclosure and not continue further code execution where intrusion
or damage might occur. In a much smaller number of cases, the code may
continue executing and possibly allow outsiders unwanted access to some
restricted areas on the site. Those who have setup their servers to look in
the main directory when a file is not located in the current one may see
a higher percentage of unwanted access and a lower percentage of full path
disclosures than others.

PhpNuke's code was not analyzed on whether additional vulnerabilities are
possible due to this security weakness. However, files where potential SQL
injections might occur are flagged below.

Affected Files:
--------------

Although an effort was made to identify all affected files, we leave it
up to the developers/users to do their own verification to ensure no files
were inadvertently missed.

There are ~138 files affected. Of these, ~27 have no security check in
PhpNuke's original distribution. A software patch was released by chatserv
from NukeFixes (http://www.nukefixes.com) and NukeResources
(http://www.nukeresources.com) to correct a number of vulnerability issues.
Although 25 of the 27 files had a security check added, chatserv used the
same inadequate method described in this report.

Note 1 --> /admin/case/case.adminfaq.php
Note 1 --> /admin/case/case.authors.php
Note 1 --> /admin/case/case.backup.php
Note 1 --> /admin/case/case.banners.php
Note 1 --> /admin/case/case.blocks.php
Note 1 --> /admin/case/case.comments.php
Note 1 --> /admin/case/case.content.php
Note 1 --> /admin/case/case.download.php
Note 1 --> /admin/case/case.encyclopedia.php
Note 1 --> /admin/case/case.ephemerids.php
Note 1 --> /admin/case/case.forums.php
Note 1 --> /admin/case/case.groups.php
Note 1 --> /admin/case/case.links.php
Note 1 --> /admin/case/case.messages.php
Note 1 --> /admin/case/case.modules.php
Note 1 --> /admin/case/case.newsletter.php
Note 1 --> /admin/case/case.optimize.php
Note 1 --> /admin/case/case.polls.php
Note 1 --> /admin/case/case.referers.php
Note 1 --> /admin/case/case.reviews.php
Note 1 --> /admin/case/case.sections.php
Note 1 --> /admin/case/case.settings.php
Note 1 --> /admin/case/case.stories.php
Note 1 --> /admin/case/case.topics.php
Note 1 --> /admin/case/case.users.php
Note 2 --> /admin/links/links.addstory.php
Note 2 --> /admin/links/links.backup.php
Note 2 --> /admin/links/links.banners.php
Note 2 --> /admin/links/links.blocks.php
Note 2 --> /admin/links/links.content.php
Note 2 --> /admin/links/links.download.php
Note 2 --> /admin/links/links.editadmins.php
Note 2 --> /admin/links/links.editusers.php
Note 2 --> /admin/links/links.encyclopedia.php
Note 2 --> /admin/links/links.ephemerids.php
Note 2 --> /admin/links/links.faq.php
Note 2 --> /admin/links/links.forums.php
Note 2 --> /admin/links/links.groups.php
Note 2 --> /admin/links/links.httpreferers.php
Note 2 --> /admin/links/links.messages.php
Note 2 --> /admin/links/links.modules.php
Note 2 --> /admin/links/links.newsletter.php
Note 2 --> /admin/links/links.optimize.php
Note 2 --> /admin/links/links.reviews.php
Note 2 --> /admin/links/links.sections.php
Note 2 --> /admin/links/links.settings.php
Note 2 --> /admin/links/links.submissions.php
Note 2 --> /admin/links/links.surveys.php
Note 2 --> /admin/links/links.topics.php
Note 2 --> /admin/links/links.weblinks.php
Note 3 --> /admin/modules/adminfaq.php
Note 3 --> /admin/modules/authors.php
Note 3 --> /admin/modules/backup.php
Note 3 --> /admin/modules/banners.php
Note 3 --> /admin/modules/blocks.php
Note 3 --> /admin/modules/comments.php
Note 3 --> /admin/modules/content.php
Note 3 --> /admin/modules/download.php
Note 3 --> /admin/modules/encyclopedia.php
Note 3 --> /admin/modules/ephemerids.php
Note 3 --> /admin/modules/forums.php
Note 3 --> /admin/modules/groups.php
Note 3 --> /admin/modules/links.php
Note 3 --> /admin/modules/messages.php
Note 3 --> /admin/modules/modules.php
Note 3 --> /admin/modules/newsletter.php
Note 3 --> /admin/modules/optimize.php
Note 3 --> /admin/modules/polls.php
Note 3 --> /admin/modules/referers.php
Note 3 --> /admin/modules/reviews.php
Note 3 --> /admin/modules/sections.php
Note 3 --> /admin/modules/settings.php
Note 3 --> /admin/modules/stories.php
Note 3 --> /admin/modules/topics.php
Note 3 --> /admin/modules/users.php
Note 4 --> /db/db.php
Note 1 --> /modules/AvantGo/index.php
Note 1 --> /modules/AvantGo/print.php
Note 1 --> /modules/Content/index.php
Note 1 --> /modules/Downloads/index.php
Note 5 --> /modules/Downloads/voteinclude.php
Note 1 --> /modules/Encyclopedia/index.php
Note 1 --> /modules/Encyclopedia/search.php
Note 1 --> /modules/FAQ/index.php
Note 1 --> /modules/Feedback/index.php
Note 1 --> /modules/Forums/faq.php
Note 1 --> /modules/Forums/groupcp.php
Note 1 --> /modules/Forums/index.php
Note 1 --> /modules/Forums/login.php
Note 1 --> /modules/Forums/modcp.php
Note 1 --> /modules/Forums/nukebb.php
Note 1 --> /modules/Forums/posting.php
Note 1 --> /modules/Forums/profile.php
Note 1 --> /modules/Forums/search.php
Note 1 --> /modules/Forums/update_to_205.php
Note 1 --> /modules/Forums/update_to_206.php
Note 1 --> /modules/Forums/update_to_207.php
Note 1 --> /modules/Forums/viewforum.php
Note 1 --> /modules/Forums/viewonline.php
Note 1 --> /modules/Forums/viewtopic.php
Note 1 --> /modules/Journal/add.php
Note 1 --> /modules/Journal/comment.php
Note 1 --> /modules/Journal/commentkill.php
Note 1 --> /modules/Journal/commentsave.php
Note 1 --> /modules/Journal/delete.php
Note 1 --> /modules/Journal/deleteyes.php
Note 1 --> /modules/Journal/display.php
Note 1 --> /modules/Journal/edit.php
Note 1 --> /modules/Journal/friend.php
Note 1 --> /modules/Journal/functions.php
Note 1 --> /modules/Journal/index.php
Note 1 --> /modules/Journal/modify.php
Note 1 --> /modules/Journal/savenew.php
Note 1 --> /modules/Journal/search.php
Note 1 --> /modules/Members_List/index.php
Note 1 --> /modules/News/article.php
Note 1 --> /modules/News/associates.php
Note 1 --> /modules/News/categories.php
Note 1 --> /modules/News/comments.php
Note 1 --> /modules/News/friend.php
Note 1 --> /modules/News/index.php
Note 1 --> /modules/News/print.php
Note 3 --> /modules/Private_Messages/index.php
Note 1 --> /modules/Recommend_Us/index.php
Note 1 --> /modules/Reviews/index.php
Note 1 --> /modules/Search/index.php
Note 1 --> /modules/Sections/index.php
Note 1 --> /modules/Statistics/index.php
Note 1 --> /modules/Stories_Archive/index.php
Note 1 --> /modules/Submit_News/index.php
Note 1 --> /modules/Surveys/comments.php
Note 1 --> /modules/Surveys/index.php
Note 1 --> /modules/Top/index.php
Note 1 --> /modules/Topics/index.php
Note 1 --> /modules/Web_Links/index.php
Note 5 --> /modules/Web_Links/voteinclude.php
Note 1 --> /modules/Your_Account/index.php
Note 1 --> /modules/Your_Account/navbar.php

** Some of PhpNuke's earlier versions contain the WebMail module which
is also affected by this security weakness.

Note 1: Vulnerabilty: Full path disclosure for servers not setup to check
the main directory when a file is not located in the current
directory otherwise the rest of the code is executed.
Note 2: Vulnerability: Full path disclosure. File has no security check.
Note 3: Vulnerability: Full path disclosure. Possibility of SQL injection
IF the database abstraction layer can be executed while accessing
this file.
Note 4: Vulnerabilty: Full path disclosure or the code can be made to execute
passing in proper variable values. File has no security check.
Note 5: Vulnerabilty: Full path disclosure for servers not setup to check the
main directory when a file is not located in the current directory
otherwise the rest of the code is executed. File has no security check.

Source:
http://www.securitytracker.com/alerts/2004/Jun/1010355.html

tweakz20

Jun 2 2004, 01:09 AM

QUOTE

The process consists of capturing the currently executing script's path and
filename with the global variable $_SERVER['PHP_SELF']. Using PHP's built-in
function eregi(), this value is then compared against the script's name
which should be the sole access point.

waiiittt... isn't that command suppost to check BOTH the file name AND where the other site is located?.. (i don't script in PHP, but it just seems weird..) anyone know??

qcred11

Jun 2 2004, 07:30 PM

same type of vulnerability has been found in Nuke Cops and osc2nuke.
Links:
http://www.securitytracker.com/alerts/2004/Jun/1010363.html
http://www.securitytracker.com/alerts/2004/Jun/1010362.html

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.