[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070310024639.6473.qmail@securityfocus.com>
Date: 10 Mar 2007 02:46:39 -0000
From: programmer@...biansite.com
To: bugtraq@...urityfocus.com
Subject: PHP-Nuke <= 8.0 Cookie Manipulation (lang)
/////////////////////////////////////////////////////////////////////////////////////////////////////
PHPNuke <= 8.0 Cookie Manipulation (lang)
PROGRAM: PHP-Nuke
HOMEPAGE: http://phpnuke.org/
VERSION: All version
BUG: Cookie Manipulation (lang) (SQL Injection + Local file include)
AUTHOR: Aleksandar aka sale83
///////////////////////////////////////////////////////////////////////////////////////////////////////
PHP.ini
Magic Quotes = OFF
//////////////////////////////////////////////////////////////////////////////////////////////////////
PHP-Nuke - >Preferences - > Multilingual Options-> On (Activate Multilingual features? = YES)
/////////////////////////////////////////////////////////////////////////////////////////////////////
Bug is found in mainfile.php line 327.
// Line 327 Bug is here
} elseif (isset($lang)) {
include_once("language/lang-".$lang.".php"); // This can be exploited by malicious users: ex: /../../robots.txt%00 Multilingual Options=OFF
$currentlang = $lang; // This can be exploited by malicious users. ex:SQL Injection in Top and News Module ($currentlang) Multilingual Options = On
} else {
/////////////////////////////////////////////////////////////////////////////////////////////////
This flaw is due to an error when handling the "lang" cookie parameter, which could be exploited by malicious users because $lang is not filtered.
Tested On:
Windows XP
Linux SlackWare 10.2
PHP Version 5.1.4
PHPNuke 8.0 ,7.9,7.6
Magic Quotes = OFF
Firefox 2 + Add N Edit Cookies Add-ons
/////////////////////////////////////////////////////////////////////////////////////////////////
Patch:
} elseif (isset($lang)) {
if (eregi('[A-Za-z]', $lang)) {
if (file_exists("language/lang-".$lang.".php")) {
include_once("language/lang-".$lang.".php");
$currentlang = $lang;
}else {
include_once("language/lang-english.php");
$currentlang = "english";
}
}else {
include_once("language/lang-english.php");
$currentlang = "english";
}
} else {
/////////////////////////////////////////////////////////////////////////////////////////////////
Best Regards
Aleksandar
Programmer and Web Developer
///////////////////////////////////////////////////////////////////////////////////////////////
Powered by blists - more mailing lists