BugTraq
Back to list
|
Post reply
PHP-Nuke code injection in Yearly Stats at Statistics module
May 17 2003 10:33AM
Lorenzo Manuel Hernandez Garcia-Hierro (security lorenzohgh com)
-------
Product: PHP-Nuke
Vendor: Francisco Burci
Versions Vulnerable:
6.0 without patches ,
6.0 with index.php and mainfile.php patches.
5.5 with patches ( all resting script tags)
No vulnerable:
6.0 with mainfile.php patch for block url tags inclusions ( not all ).
5.5 with script tags but with the other all.
------
DESCRIPTION:
------
i'm working now in nuke based portals , searching modules that use an URL
based query i found in the Statistics module some bugs:
when you put a string in the url behind the &year variable the module
prints you the character that you put.
i probe iframe and works , script tags works , object works,applet
works,meta works,style works,form works too,img works,comments and ssi
works.
--------
SOLUTION:
--------
Put this code in your mainfile.php :
/*
foreach ($HTTP_GET_VARS as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("\"", $secvalue))) {
die ("Oh! .");
}
}
*/
NOTE: Remove comment /* and */.
-----
WHAT CAN BE HAPPEN?
-----
Script and binary objects inclusion. Normally it isn't a problem but
there are many viruses written in vbscript and javascript/JS . Iframe can
be used for a link that an user visits and there is and attack to the
user trough known iframe vulns.
With the code that i provide your'e sure by this little bug.
-----
CONTACT INFO :
---------------------------------------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--www.novappc.com --
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
-------
Product: PHP-Nuke
Vendor: Francisco Burci
Versions Vulnerable:
6.0 without patches ,
6.0 with index.php and mainfile.php patches.
5.5 with patches ( all resting script tags)
No vulnerable:
6.0 with mainfile.php patch for block url tags inclusions ( not all ).
5.5 with script tags but with the other all.
------
DESCRIPTION:
------
i'm working now in nuke based portals , searching modules that use an URL
based query i found in the Statistics module some bugs:
when you put a string in the url behind the &year variable the module
prints you the character that you put.
i probe iframe and works , script tags works , object works,applet
works,meta works,style works,form works too,img works,comments and ssi
works.
--------
SOLUTION:
--------
Put this code in your mainfile.php :
/*
foreach ($HTTP_GET_VARS as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("\"", $secvalue))) {
die ("Oh! .");
}
}
*/
NOTE: Remove comment /* and */.
-----
WHAT CAN BE HAPPEN?
-----
Script and binary objects inclusion. Normally it isn't a problem but
there are many viruses written in vbscript and javascript/JS . Iframe can
be used for a link that an user visits and there is and attack to the
user trough known iframe vulns.
With the code that i provide your'e sure by this little bug.
-----
CONTACT INFO :
---------------------------------------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--www.novappc.com --
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
[ reply ]