lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0212201129530.28284-200000@Tempo.Update.UU.SE>
From: ulfh at update.uu.se (Ulf Harnhammar)
Subject: PHP-Nuke mail CRLF Injection vulnerabilities

PHP-Nuke mail CRLF Injection vulnerabilities


PROGRAM: PHP-Nuke
VENDOR: Fransisco Burzi et al.
HOMEPAGE: http://phpnuke.org/
VULNERABLE VERSIONS: 6.0 (the only supported version)
IMMUNE VERSIONS: 6.0 with my patch applied
LOGIN REQUIRED: no


DESCRIPTION:

"PHP-Nuke is a Web portal and online community system which
includes Web-based administration, surveys, access statistics,
user customizable boxes, a themes manager for registered users,
friendly administration GUI with graphic topic manager, the
ability to edit or delete stories, an option to delete comments,
a moderation system, referer tracking, integrated banner ad system,
search engine, backend/headlines generation (RSS/RDF format), Web
directory like Yahoo, events manager, and support for 20+ languages."

(direct quote from the program's project page at Freshmeat)

PHP-Nuke is published under the terms of the GNU General Public
License. It is a very popular program with lots and lots of
installations. It is included as one of the packages in Debian
GNU/Linux and one of FreeBSD's ports.

Despite all this, the program has a bad reputation regarding
security matters.


SUMMARY:

PHP-Nuke has got four functions that allow restricted sending of
e-mails: Feedback, Recommend Us, Send (news item) to a Friend and
Send this Journal to a Friend. They either restrict who you can send
e-mails to or what message you can send to them. They are open for
anonymous users as well as regular users.

By submitting special data, an attacker can escape these restrictions
and use someone else's PHP-Nuke installation to send HTML e-mails
to any recipient with any message that they like.


TECHNICAL DETAILS:

The fourth parameter to PHP's mail() function contains the additional
mail headers that PHP doesn't have a special parameter for. In this
case, it's used to add From and Reply-To headers. When PHP-Nuke
constructs the value for this parameter, it doesn't check the form
data it's using for CR and LF characters. As a result, an attacker
can supply extra mail headers and even an extra mail body, and they
will be included in the mail between the real headers and the real
body. This is done by simply including CR and LF characters in the
form data field that contains your e-mail address. If the attacker
includes an HTML message ending with a "<!--" tag or a
"<font color='something'>" tag that sets the foreground colour to
the background colour, the real mail body will not be shown in
many programs.


COMMUNICATION WITH VENDOR:

I didn't contact the vendor, as Fransisco has a very bad track
record when it comes to replying to security reports.


MY "SECURITY HARDENING PACKAGE":

Instead I wrote an unofficial patch for this issue. I have patched
against version 6.0.

The patch simply replaces all CR and LF characters in the vulnerable
variables with spaces, and then the exploit doesn't work anymore.


// Ulf Harnhammar
   VSU Security
   ulfh@...ate.uu.se


"I saw the worst minds of my generation / getting their political
 information from tabloids / listening to Savage Garden's greatest
 hits / getting married and having kids at 25 just 'cause the
 neighbours did / and building the worst administrative web-based
 members interface ever known to man" (To B.)

-------------- next part --------------
--- html/mainfile.php.old	Thu Dec 19 19:17:10 2002
+++ html/mainfile.php	Thu Dec 19 19:24:00 2002
@@ -870,4 +870,13 @@
     return($ThemeSel);
 }
 
-?>
\ No newline at end of file
+#
+# Security fix
+# Ulf Harnhammar, VSU Security 2002
+#
+
+function removecrlf($str) {
+    return strtr($str, "\015\012", '  ');
+}
+
+?>
--- html/modules/Feedback/index.php.old	Thu Dec 19 19:26:44 2002
+++ html/modules/Feedback/index.php	Thu Dec 19 19:28:34 2002
@@ -69,6 +69,8 @@
 	$send = "no";
     } 
     if ($send != "no") {
+	$sender_name = removecrlf($sender_name); # Security fix
+	$sender_email = removecrlf($sender_email);
 	$msg = "$sitename\n\n";
 	$msg .= ""._SENDERNAME.": $sender_name\n";
 	$msg .= ""._SENDEREMAIL.": $sender_email\n";
@@ -93,4 +95,4 @@
 CloseTable();   
 include("footer.php");
 
-?>
\ No newline at end of file
+?>
--- html/modules/Journal/friend.php.old	Thu Dec 19 21:23:27 2002
+++ html/modules/Journal/friend.php	Thu Dec 19 21:25:22 2002
@@ -38,6 +38,11 @@
 list ($jtitle) = sql_fetch_row($result, $dbi);
 
 if ($send == 1) {
+    $fname = removecrlf($fname); # Security fix
+    $fmail = removecrlf($fmail);
+    $yname = removecrlf($yname);
+    $ymail = removecrlf($ymail);
+
     $subject = ""._INTERESTING." $sitename";
     $message = ""._HELLO." $fname:\n\n"._YOURFRIEND." $yname "._CONSIDERED."\n\n\n$jtitle\n"._URL.": $nukeurl/modules.php?name=$module_name&file=display&jid=$jid\n\n\n"._AREMORE."\n\n---\n$sitename\n$nukeurl";
     mail($fmail, $subject, $message, "From: \"$yname\" <$ymail>\nX-Mailer: PHP/" . phpversion());
@@ -82,4 +87,4 @@
 
 journalfoot();
 
-?>
\ No newline at end of file
+?>
--- html/modules/News/friend.php.old	Thu Dec 19 20:05:53 2002
+++ html/modules/News/friend.php	Thu Dec 19 20:16:24 2002
@@ -50,6 +50,11 @@
 function SendStory($sid, $yname, $ymail, $fname, $fmail) {
     global $sitename, $nukeurl, $prefix, $dbi, $module_name;
 
+    $fname = removecrlf($fname); # Security fix
+    $fmail = removecrlf($fmail);
+    $yname = removecrlf($yname);
+    $ymail = removecrlf($ymail);
+
     $result2=sql_query("select title, time, topic from ".$prefix."_stories where sid=$sid", $dbi);
     list($title, $time, $topic) = sql_fetch_row($result2, $dbi);
 
@@ -90,4 +95,4 @@
 
 }
 
-?>
\ No newline at end of file
+?>
--- html/modules/Recommend_Us/index.php.old	Thu Dec 19 20:00:45 2002
+++ html/modules/Recommend_Us/index.php	Thu Dec 19 20:02:45 2002
@@ -45,6 +45,9 @@
 
 function SendSite($yname, $ymail, $fname, $fmail) {
     global $sitename, $slogan, $nukeurl, $module_name;
+    $fmail = removecrlf($fmail); # Security fix
+    $yname = removecrlf($yname);
+    $ymail = removecrlf($ymail);
     $subject = ""._INTSITE." $sitename";
     $message = ""._HELLO." $fname:\n\n"._YOURFRIEND." $yname "._OURSITE." $sitename "._INTSENT."\n\n\n"._FSITENAME." $sitename\n$slogan\n"._FSITEURL." $nukeurl\n";
     mail($fmail, $subject, $message, "From: \"$yname\" <$ymail>\nX-Mailer: PHP/" . phpversion());
@@ -76,4 +79,4 @@
 
 }
 
-?>
\ No newline at end of file
+?>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ