Re: Multiple vulnerabilities PHP-Nuke

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Multiple vulnerabilities PHP-Nuke
From: Squid <squidsecurity@xxxxxxxxxxxx>
Date: 9 Jun 2004 06:21:23 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <000001c44d6d$e6897a80$2002a8c0@alucxp1>

Since you said patches have been available for "many, many months", please 
provide links to them.  It appears you merely restricted access to this module 
on your site not that these were necessarily fixed.  A check of the patched 
code though will show for sure whether the problems were previously addressed. 

Even so, there has been at least two upgrades for PHPNuke in the past couple 
months.  If security patches are issued by third-parties but not incorporated 
into the main distribution, this leaves brand new users, hosts which offer 
auto-install versions, and those who upgrade susceptible to unfixed known 
vulnerabilities.  It also passes on the same ones to forked projects. 

I agree CPG-Nuke is not affected.  They do not have a Reviews module at least 
not in the default distribution.  betaNC Bundle and OSC2Nuke though have the 
same vulnerabilities reported here.  Other forks may have it too.

Ref Dark's para 2A: I couldn't reproduce this on Linux.  The warning for date() 
resulting in full path disclosure may be Windows unique.

Ref Dark's para 2B: This occurs only when magic_quotes_gpc is set to off.  
PhpNuke is not written to handle it being either on and off.  It must be on.  
I'll bet there are other vulnerabilities present in the script when it's off.

Squid

-----

>This does not apply to any site that has applied the security fixes
>available for many, many months.  This is only affecting phpnuke.org
>distro's, not any 'modified' or 'secured' distro, like betaNC, CPG-NUKE,
>and others...
>
>No additional patches dealing with these specifics below applied to
>php-nuke 7.0 only the security patches.
>
>A. Generates a proper ACCESS DENIED page, no PATH DISCLOSURE. =20
>-------------------------------------------------------------
>RESULT:
>
>"You are trying to access a restricted area.
>
>We are Sorry, but this section of our site is for Registered Users Only.
>You can register for free by clicking here, then you can
>access this section without restrictions. Thanks."
>
>B. No CSS exploit.  Same result as above.  Below example was sanitized
>prior to GET:
>------------------------------------------------------------------------
>------------
>RESULT:
>
>modules.php?name=3DReviews&rop=3Dpostcomment&id=3D'%3Ch1%3EDarkBicho%3C/h=
>1&tit
>le=3Da
>modules.php?name=3DReviews&rop=3Dpostcomment&id=3D'&title=3D%3Ch1%3EDarkB=
>icho%3C
>/h1%3E
>
>
>So as long as you've addressed the age-old bugs that still haven't been
>fixed in the basic PHP-Nuke distro's then you may be vulnerable.
>However these methods have long been squashed in patches available, and
>do not affect newer, secure distro's such as betaNC or CPG-Nuke.
>
>Again, I added no new patches to test these potentials in the last 30
>days.  And they simply are not a factor.
>
>Sincerely,
>
>J.
>j e r u v y a t s h a w d o t c a=20

Follow-Ups:
- RE: Multiple vulnerabilities PHP-Nuke
  - From: Jeruvy

Prev by Date: [security bulletin] SSRT3456 HP-UX ftp remote unauthorized access
Next by Date: Re: Multiple Vulnerabilities in Invision Power Board v1.3.1 Final.
Previous by thread: RE: Multiple vulnerabilities PHP-Nuke
Next by thread: RE: Multiple vulnerabilities PHP-Nuke
Index(es):
- Date
- Thread