lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040322165411.12572.qmail@www.securityfocus.com>
Date: 22 Mar 2004 16:54:11 -0000
From: Janek Vind <come2waraxe@...oo.com>
To: bugtraq@...urityfocus.com
Subject: [waraxe-2004-SA#011 - Multiple vulnerabilities in MS Analysis
    v2.0 module for PhpNuke]






{================================================================================}
{                              [waraxe-2004-SA#011]                              }
{================================================================================}
{                                                                                }
{       [ Multiple vulnerabilities in MS Analysis v2.0 module for PhpNuke ]      }
{                                                                                }
{================================================================================}
                                                                                                                                
Author: Janek Vind "waraxe"
Date: 22. March 2004
Location: Estonia, Tartu



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From copyright.php:

MS Analysis module for PHP-Nuke

Module's Name: MS Analysis
Module's Version: v2.0 - No Options
Module's Description: This script analyses all incoming 'traffic' and stores all
                      properties of a member/visitor. It is in fact an extended 
                      version of PHP-Nuke Statistics.
License: GNU/GPL
Author's Name: Maty Scripts
Author's user_email: webmaster@...yscripts.com
Homepage: http://www.matyscripts.com/


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Full path disclosure



All the files in "scripts" directory, for example:

http://localhost/nuke70/modules/MS_Analysis/scripts/browsers.php

and we get standard error message, revealing full path:

Fatal error: Call to undefined function: is_admin() in D:\apache_wwwroot\nuke70\modules\MS_Analysis\scripts\browsers.php on line 3

Other php files are directly callable too, for example:

http://localhost/nuke70/modules/MS_Analysis/mstrack.php
http://localhost/nuke70/modules/MS_Analysis/title.php

and we can see the full path in standard php error messages.




2. Cross-Site Scripting aka XSS



There are many possible XSS bugs, including:
 
http://localhost/nuke70/modules.php?name=MS_Analysis&file=index&op=MSAnalysisGeneral&screen=>[xss code here]&overview=1&sortby=

http://localhost/nuke70/modules/MS_Analysis/title.php?module_name=>[xss code here]

http://localhost/nuke70/modules.php?name=MS_Analysis&file=index&op=MSAnalysisGeneral&screen=3&overview=1&sortby=>[xss code here]

http://localhost/nuke70/modules.php?name=MS_Analysis&file=index&op=MSAnalysisGeneral&screen=13&overview=>[xss code here]&sortby=




3. sql injection in search words analyzing code


-----------------------------------------------------------------------------
Let's look at original code, function MSAGetSearchWords() from class.dynamicadd.php:

...

function MSAGetSearchWords( $sestring, $onlyhost, $search_store )
   {
      global $MSSearchEngines;
      $searchwords = "";
      foreach( $MSSearchEngines as $key=>$value ) {
         if( eregi( $key, $onlyhost ) ) {
            $asestring = explode( "&", $sestring ); 
            for( $j = 0; $j < sizeof( $asestring ); $j++ )
            {
               $asestring[ $j ] = ereg_replace ('amp;', '', trim( $asestring[ $j ] ) );
               $fquery = explode( "=" , $asestring[ $j ] );
               if( $fquery[ 0 ] == $value ) {
                  $searchwords = trim(strtolower(urldecode( $fquery[ 1 ] ) ) );
                  $searchwords = str_replace( "\"", "", $searchwords );
                  if( $search_store ) $searchwords = str_replace( "+", " ", $searchwords );
                  break;
               }
            } // END sizeof( $asestring )
         } // END eregi
      }
      return( $searchwords );       
   } // END Function

} 

...



So, this code uses the php function "urldecode()":

$searchwords = trim(strtolower(urldecode( $fquery[ 1 ] ) ) );


Hmm, what if we deliver here "%27"? In such way we can get single quote and bypass the "magic quotes".
Let's look, how "$searchwords" will be processed further:

...

if( $this->IsSearchEngine( $MSAreferral ) == 1 ) {
                  $searchwords = $this->MSAGetSearchWords( $MSArefstr, $MSAreferral, $search_store );
                  if( $searchwords != "" ) {
                     if( $search_store ) {
                        $searchwords = explode( " ", $searchwords );
                        for( $i = 0; $i < sizeof( $searchwords ); $i++ )
                        {	    
	                   $sw = trim( $searchwords[ $i ] );
                           if( $sw != "" ) {
                              $result = $db->sql_query( "select words from $prefix"._msanalysis_search." where words = '$sw'" );
                              if( $db->sql_numrows( $result ) == 0 ) { $db->sql_query( "insert into $prefix"._msanalysis_search." ( words, hits, today, hitstoday, xdays, hitsxdays ) values ( '$sw', '1', '$MSAslogdate', '1', '$xdate', '1' )" ); }
                              else { $db->sql_query( "update $prefix"._msanalysis_search." set hits=hits+1, today='$MSAslogdate', hitstoday=hitstoday+1, hitsxdays=hitsxdays+1 where words = '$sw'" ); }
                              $db->sql_freeresult( $result );
                           }
                        }
                     }
                     else {

...


Yeah, i can't see "addslashes()" anywhere! So sql injection is possible!!

How to exploit this security flaw in practice? First, we must use the "refferer" field in http
request, so using of the perl script is needed (of course, php or any other language can be used too).
Second, as we don't have any visual feedback here, we must use "blind method" through UNION keyword.
Example of that method can be found in "[waraxe-2004-SA#003] - SQL injection in Php-Nuke 7.1.0".
And here is the typical "referer" field from attacker's http request:

"http://www.google.com/search?q=Maty+Scripts%27UNION SELECT pwd from nuke_authors where name%3d%27God%27 AND IF(mid(pwd,1,1)%3d3,benchmark(150000,md5(1337)),1)/*"

Anyone with some knowledge of the php, sql and perl can write exploit script with ease, so i don't
give the full source code of the exploit here ;)




Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum staff and to all IT security related people in Estonia! Tervitused!
Special greets to ulljobu!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@...oo.com
    Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ