Php-Nuke is a popular freeware content management system, written in php by Francisco Burzi. This CMS (Content Management System) is used on many thousands websites, because it's freeware, easy to install and has broad set of features.
There are various security flaws - full path disclosure, xss, script injection and critical sql injection. Most of the bugs, dicussed in current advisory, are located in "Journal" module, and couple of full path disclosure bugs are in "Web_Links" and "Statistics" modules.
A - Full Path Disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A1 - full path disclosure in "/modules/Web_Links/voteinclude.php":
Warning: main(modules/Web_Links/l_config.php): failed to open stream: No such file or directory in D:\apache_wwwroot\nuke73\modules\Web_Links\voteinclude.php on line 24
Fatal error: main(): Failed opening required 'modules/Web_Links/l_config.php' (include_path='.;c:\php4\pear') in
D:\apache_wwwroot\nuke73\modules\Web_Links\voteinclude.php on line 24
A2 - full path disclosure in "Statistics" module:
Let's see original code from "/modules/Statistics/index.php":
case "MonthlyStats": MonthlyStats($year,$month); break;
case "DailyStats": DailyStats($year,$month,$date); break;
case "convert_month": convert_month($month); break;
} ---------------------------------------------------- Anything seems OK? Guess what - convert_month() is legacy function, not referenced anywhere else. So if we make GET request like this:
C - Script injection to Journal entry ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Journal entry's main text is sanitaized against script injection, but for some reason title text is unsanitaized. So, potential attacker can write journal entry and place to title input field something like:
"Look at cool pics! <body onload=alert(document.cookie);>"
And now, when anyone, including admins, will list specific journal entries:
if ($debug == "true") : echo ("UserName:$username<br>SiteName: $sitename"); endif;
startjournal($sitename,$user); $onwhat = intval($onwhat); $sql = "DELETE FROM ".$prefix."_journal_comments WHERE cid = '$onwhat'"; $db->sql_query($sql); --------------------------------------------------
Funny thing, but script's author seems to forget about permission check at all! So if anyone will want to delete ANY comment from any journal for some reason, then simple GET request will do the job:
Of course, comment's ID must be right number. I can understand - Journal comments are absolutely uncritical issue and who gives a s*it about them, but anyway - this is very bad coding style ...
D2 - unauthorized journal entry insertion in "modules/Journal/savenew.php":
Same problem - no permissions check at all. Any anonymous person, who is not member of the nuke site, can add journal entries with ease:
if (!isset($forwhat)): $forwhat = "naddaanythang"; else : $forwhat = stripslashes($forwhat); endif; ... ... function search($username,$bywhat,$forwhat,$sitename,$bgcolor2,$bgcolor3,$user) { global $prefix, $user_prefix, $db, $module_name, $exact; echo "<br>"; OpenTable(); ... ... if ($bywhat == 'aid'): if ($exact == '1') { $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.aid='$forwhat' order by j.jid DESC"; } else { ... ... $result = $db->sql_query($sql); -------------------------------------------------- Nice case of sql injection - first user submitted variables "bywhat" and "forwhat" will be processed by "stripslashes()" and then WITHOUT ANY SANITATION will be used in "SELECT FROM" sql query... So it's time to test proof of concept sploit:
And as result, we will see admin password md5 hash in place, where normally journal entry's title will show up. As with any UNION exploit - mysql version 4.x is needed with UNION functionality enabled.
How to fix: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The php-nuke team should hire this Janek Vind guy as their official security consultant. lol
ComSec
Jun 23 2004, 11:56 PM
i agree JeiAr... 'waraxe' has made it his pet toy ... he should be employed by them
but then again... there getting the info for nothing by him posting his sploits ...thats show buisness
so why pay him is their attitude !
slynx
Jun 24 2004, 12:34 AM
it wouldn't take much and he could make some easy $$ :>
seriously though, anybody running php-nuke should definatley be watching him, seeing as how there arn't any vendor supplied patches.... the script kiddies could have a helluva party with this one....
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
