lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040601184127.31553.qmail@www.securityfocus.com>
Date: 1 Jun 2004 18:41:27 -0000
From: Squid <squidsecurity@...hmail.com>
To: bugtraq@...urityfocus.com
Subject: [Squid 2004-betaNC-001] Inadequate Security Checking in NukeCops
    betaNC Bundle




===========================================================================
===========================================================================

Advisory:          2004-betaNC-001
Affected Software: Nuke Cops betaNC PHP-Nuke Bundle w/ PHPNuke 6.5 and later
Affected Versions: all cvs versions
Main Developer:    Paul Laudanski 
                   Computer Cops (http://www.computercops.biz) 
                   NukeCops (http://www.nukecops.com/) 
Module Developers: See credits section below



Description:  
-----------

betaNC PHP-Nuke Bundle is a fork of PhpNuke which has been customized with
some additional functionality and corrective code to eliminate user reported 
software bugs.  Created in mid-2003, this open source portal software is 
maintained by the "official" PhpNuke developers at NukeCops 
(http://www.nukecops.com/). 



Vulnerability: 
------------- 

PhpNuke's software is a major component in this project thus it suffers
from the same security weakness as its parent. 

In an effort to secure files from being directly accessed by outside visitors,
developers added a simple security checking mechanism.  If the checker 
evaluates to false, the remaining code inside the file is executed.  If it 
evaluates to true, the script aborts or the visitor is redirected to another 
page.

The process consists of capturing the currently executing script's path and 
filename with the global variable $_SERVER['PHP_SELF'].  Using PHP's built-in 
function eregi(), this value is then compared against the script's name 
which should be the sole access point.

Example:
if (!eregi("admin.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }

In this example, a file with the above snippet will continue executing if 
it was accessed by another file containing the letters "admin.php" (without 
quotes) otherwise the script aborts returning the words "Access Denied".  

Using eregi() with the NOT logical operator as done by the developers 
is a very poor way to control file access because anyone can easily 
manipulate a URL and add the missing component thereby forcing the security 
check to always evaluate to false and gain unfettered entry.



Exploitation Example:
---------------------

http://www.domain.com/admin/modules/blocks.php/admin.php



Impact:
------

In the majority of cases here, exploition of this vulnerability will display 
full path disclosure and not continue further code execution where intrusion 
or damage might occur.  In a much smaller number of cases, the code may 
continue executing and possibly allow outsiders unwanted access to some 
restricted areas on the site.  Those who have setup their servers to look in 
the main directory when a file is not located in the current one may see   
a higher percentage of unwanted access and a lower percentage of full path 
disclosures than others.

betaNC's code was not analyzed on whether additional vulnerabilities are 
possible due to this security weakness.  However, files where potential SQL 
injections might occur are flagged below.



Affected Files:
--------------
Although an effort was made to identify all affected files (~160 total of 
which ~28 have no security check), we leave it up to the developers/users 
to do their own verification to ensure no files were inadvertently missed.

Note 1 --> /admin/case/case.adminfaq.php
Note 1 --> /admin/case/case.authors.php
Note 1 --> /admin/case/case.backup.php
Note 1 --> /admin/case/case.banners.php
Note 1 --> /admin/case/case.blocks.php
Note 1 --> /admin/case/case.comments.php
Note 1 --> /admin/case/case.content.php
Note 1 --> /admin/case/case.download.php
Note 1 --> /admin/case/case.encyclopedia.php
Note 1 --> /admin/case/case.ephemerids.php
Note 1 --> /admin/case/case.forums.php
Note 1 --> /admin/case/case.groups.php
Note 1 --> /admin/case/case.links.php
Note 1 --> /admin/case/case.messages.php
Note 1 --> /admin/case/case.modules.php
Note 1 --> /admin/case/case.newsletter.php
Note 1 --> /admin/case/case.optimize.php
Note 1 --> /admin/case/case.polls.php
Note 1 --> /admin/case/case.referers.php
Note 1 --> /admin/case/case.reviews.php
Note 1 --> /admin/case/case.sections.php
Note 1 --> /admin/case/case.settings.php
Note 1 --> /admin/case/case.stories.php
Note 1 --> /admin/case/case.topics.php
Note 1 --> /admin/case/case.tracking.php
Note 1 --> /admin/case/case.users.php
Note 2 --> /admin/links/links.addstory.php
Note 2 --> /admin/links/links.backup.php
Note 2 --> /admin/links/links.banners.php
Note 2 --> /admin/links/links.blocks.php
Note 2 --> /admin/links/links.content.php
Note 2 --> /admin/links/links.download.php
Note 2 --> /admin/links/links.editadmins.php
Note 2 --> /admin/links/links.editusers.php
Note 2 --> /admin/links/links.encyclopedia.php
Note 2 --> /admin/links/links.ephemerids.php
Note 2 --> /admin/links/links.faq.php
Note 2 --> /admin/links/links.forums.php
Note 2 --> /admin/links/links.groups.php
Note 2 --> /admin/links/links.httpreferers.php
Note 2 --> /admin/links/links.messages.php
Note 2 --> /admin/links/links.modules.php
Note 2 --> /admin/links/links.newsletter.php
Note 2 --> /admin/links/links.optimize.php
Note 2 --> /admin/links/links.reviews.php
Note 2 --> /admin/links/links.sections.php
Note 2 --> /admin/links/links.settings.php
Note 2 --> /admin/links/links.submissions.php
Note 2 --> /admin/links/links.surveys.php
Note 2 --> /admin/links/links.topics.php
Note 2 --> /admin/links/links.tracking.php
Note 2 --> /admin/links/links.weblinks.php
Note 3 --> /admin/modules/adminfaq.php
Note 3 --> /admin/modules/authors.php
Note 3 --> /admin/modules/backup.php
Note 3 --> /admin/modules/banners.php
Note 3 --> /admin/modules/blocks.php
Note 3 --> /admin/modules/comments.php
Note 3 --> /admin/modules/content.php
Note 3 --> /admin/modules/download.php
Note 3 --> /admin/modules/encyclopedia.php
Note 3 --> /admin/modules/ephemerids.php
Note 3 --> /admin/modules/forums.php
Note 3 --> /admin/modules/groups.php
Note 3 --> /admin/modules/links.php
Note 3 --> /admin/modules/messages.php
Note 3 --> /admin/modules/modules.php
Note 3 --> /admin/modules/newsletter.php
Note 3 --> /admin/modules/optimize.php
Note 3 --> /admin/modules/polls.php
Note 3 --> /admin/modules/referers.php
Note 3 --> /admin/modules/reviews.php
Note 3 --> /admin/modules/sections.php
Note 3 --> /admin/modules/settings.php
Note 3 --> /admin/modules/stories.php
Note 3 --> /admin/modules/topics.php
Note 3 --> /admin/modules/tracking.php
Note 3 --> /admin/modules/users.php
Note 4 --> /db/db.php
Note 1 --> /modules/AvantGo/index.php
Note 1 --> /modules/AvantGo/print.php
Note 1 --> /modules/Bookmarks/del_cat.php
Note 1 --> /modules/Bookmarks/del_mark.php
Note 5 --> /modules/Bookmarks/edit_cat.php
Note 5 --> /modules/Bookmarks/edit_mark.php
Note 1 --> /modules/Bookmarks/index.php
Note 1 --> /modules/Bookmarks/marks.php
Note 5 --> /modules/Bookmarks/uploadbookmarks.php
Note 1 --> /modules/Content/index.php
Note 1 --> /modules/Downloads/index.php
Note 6 --> /modules/Downloads/voteinclude.php
Note 1 --> /modules/Encyclopedia/index.php
Note 1 --> /modules/Encyclopedia/search.php
Note 1 --> /modules/FAQ/index.php
Note 1 --> /modules/Feedback/index.php
Note 1 --> /modules/Forums/buddylist.php
Note 1 --> /modules/Forums/faq.php
Note 1 --> /modules/Forums/groupcp.php
Note 1 --> /modules/Forums/ignore.php
Note 1 --> /modules/Forums/index.php
Note 1 --> /modules/Forums/login.php
Note 1 --> /modules/Forums/modcp.php
Note 1 --> /modules/Forums/nukebb.php
Note 1 --> /modules/Forums/posting.php
Note 1 --> /modules/Forums/profile.php
Note 1 --> /modules/Forums/ranks.php
Note 1 --> /modules/Forums/search.php
Note 1 --> /modules/Forums/staff.php
Note 1 --> /modules/Forums/topics.php
Note 1 --> /modules/Forums/viewforum.php
Note 1 --> /modules/Forums/viewonline.php
Note 1 --> /modules/Forums/viewtopic.php
Note 1 --> /modules/Journal/add.php
Note 1 --> /modules/Journal/comment.php
Note 1 --> /modules/Journal/commentkill.php
Note 1 --> /modules/Journal/commentsave.php
Note 1 --> /modules/Journal/delete.php
Note 1 --> /modules/Journal/deleteyes.php
Note 1 --> /modules/Journal/display.php
Note 1 --> /modules/Journal/edit.php
Note 1 --> /modules/Journal/friend.php
Note 1 --> /modules/Journal/functions.php
Note 1 --> /modules/Journal/index.php
Note 1 --> /modules/Journal/modify.php
Note 1 --> /modules/Journal/savenew.php
Note 1 --> /modules/Journal/search.php
Note 1 --> /modules/Members_List/index.php
Note 1 --> /modules/News/allindex.php
Note 1 --> /modules/News/article.php
Note 1 --> /modules/News/associates.php
Note 1 --> /modules/News/categories.php
Note 1 --> /modules/News/comments.php
Note 1 --> /modules/News/friend.php
Note 1 --> /modules/News/index.php
Note 1 --> /modules/News/print.php
Note 3 --> /modules/Private_Messages/index.php
Note 1 --> /modules/Recommend_Us/index.php
Note 1 --> /modules/Resend_Email/index.php
Note 1 --> /modules/Reviews/index.php
Note 1 --> /modules/Search/index.php
Note 1 --> /modules/Sections/index.php
Note 1 --> /modules/Statistics/index.php
Note 1 --> /modules/Stories_Archive/index.php
Note 1 --> /modules/Submit_News/index.php
Note 1 --> /modules/Surveys/comments.php
Note 1 --> /modules/Surveys/index.php
Note 1 --> /modules/Top/index.php
Note 1 --> /modules/Topics/index.php
Note 1 --> /modules/Web_Links/index.php
Note 6 --> /modules/Web_Links/voteinclude.php
Note 1 --> /modules/Web_Links/class.rc4crypt.php
Note 1 --> /modules/Web_Links/compose.php
Note 1 --> /modules/Web_Links/inbox.php
Note 1 --> /modules/Web_Links/index.php
Note 1 --> /modules/Web_Links/mailheader.php
Note 1 --> /modules/Web_Links/nlmail.php
Note 1 --> /modules/Web_Links/readmail.php
Note 1 --> /modules/Web_Links/settings.php
Note 1 --> /modules/Your_Account/index.php
Note 2 --> /modules/Your_Account/navbar.php


Note 1: Vulnerabilty: Full path disclosure for servers not setup to check
        the main directory when a file is not located in the current 
        directory otherwise the rest of the code is executed.
Note 2: Vulnerability: Full path disclosure.  File has no security check. 
Note 3: Vulnerability: Full path disclosure.  Possibility of SQL injection
        IF the database abstraction layer can be executed while accessing
        this file.
Note 4: Vulnerabilty: Full path disclosure or the code can be made to execute 
        passing in proper variable values. File has no security check.  
Note 5: Vulnerabilty: Full path disclosure.
Note 6: Vulnerabilty: Full path disclosure for servers not setup to check the
        main directory when a file is not located in the current directory 
        otherwise the rest of the code is executed. File has no security check.


Credits -- Module Developers:
----------------------------

Admin FAQ/Authors/AvantGo/Backup/Banners/Blocks/Comments/Content/
Download/Encyclopedia/Ephemerids/Groups/Links/Messages/Modules/
News/Newsletter/Polls/Recommend Us/Referers/Reviews/Search/Sections/
Settings/Statistics/Stories/Stories Archive/Submit News/Surveys/Top/
Topics/Users/Web Links:
- Francisco Burzi (http://www.phpnuke.org)
- chatserv (http://www.nukefixes.com) (http://www.nukeresources.com)

Bookmarks/Journal/News/Tracking:
- Paul Laudanski and his team from Computer Cops (http://www.computercops.biz) 
  and NukeCops (http://www.nukecops.com/) "Official" PhpNuke Developers

Admin FAQ:
- Richard Tirtadji AKA King Richard (http://www.nukeaddon.com)
- Hutdik Hermawan AKA hotFix (http://www.nukeaddon.com)

AvantGo:
-  Tim Litwiller (http://linux.made-to-order.net)

Backup:
- Thomas Rudant (http://www.grunk.net) (http://www.securite-internet.org)

Bookmarks:
- David Moulton (http://www.themoultons.net)

Comments:
- Oleg [Dark Pastor] Martos (http://www.rolemancer.ru)

Forums/Members List/Private Messages (PHPBB2 forums code ported to PHPNuke):
- The phpBB Group (http://www.phpbb.com) 
- Tom Nitzschner (http://bbtonuke.sourceforge.net) (http://www.toms-home.com) 
- Paul Laudanski and his team from Computer Cops (http://www.computercops.biz) 
  and NukeCops (http://www.nukecops.com/) "Official" PhpNuke Developers
- chatserv (http://www.nukefixes.com) (http://www.nukeresources.com)  

Journal:
- Joseph Howard (Member's Journal)
- Trevor Scott (Atomic Journal)

Links:
- James Knickelbein (http://www.journeymilwaukee.com)

Optimize:
- Xavier JULIE (http://www.securite-internet.org) 
- chatserv (http://www.nukefixes.com) (http://www.nukeresources.com) 

Resend Email:
- Gaylen Fraley (http://gaylenandmargie.com/phpwebsite)
                               
Reviews:
- Jeff Lambert (http://www.qchc.com)

Statistics:
- Harry Mangindaan (http://www.nuketest.com)
- Sudirman (http://www.nuketest.com)

Tracking:
- WebStyle (http://www.wstyle.org)

Web Links:
- James Knickelbein (http://www.journeymilwaukee.com)

WebMail:
- Sivaprasad R.L (http://netlogger.net)
- Don Grabowski  (http://ecomjunk.com)
- Akan Nkweini (http://www.p3mail.com)
- Leo West

Your Account:
- Francisco Burzi (http://www.phpnuke.org)


===========================================================================
===========================================================================


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ