Multiples Full Path Disclosure in php-nuke 7.6 (and below)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiples Full Path Disclosure in php-nuke 7.6 (and below)
From: Luis Fernando <spiderkid@xxxxxxxxx>
Date: Fri, 29 Apr 2005 10:15:44 -0300
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=q/6pLk1dWcK/nD3aQmFoj71AzNGBMiL8iaxmR3pR6gc5YrrItbYcPQyX6q841V1j4xsfITCpXafhjPNbfbIVNLzaOzZVB1OSutyKNCsC7qKTanXF+E8w5MscxyaEXBcK/1VbjqyrUh9vG89maVr2ZdH3k6SW3S1Uln2meOMxYcY=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: Luis Fernando <spiderkid@xxxxxxxxx>

Multiples Full Path Disclosure in php-nuke 7.6 (and below)
---------------------------------------------------------------------------

Author: project-restart 
Date: 27. April 2005
Location: Brazil
Web: http://www.project-restart.org/
Target: PHP-nuke 7.6 (and below)

---------------------------------------------------------------------------
Target software description:
Php-Nuke is a popular opensource content management system, written in php by
Francisco Burzi. This CMS is used on many thousands websites, because it's 
freeware(7.7 no ¬¬), easy to install and manage and has broad set of features.

Homepage: http://phpnuke.org
---------------------------------------------------------------------------

Vulnerabilities founds by luis <luis@xxxxxxxxxxxxxxxxxxx>

########################### Vuln1

File: includes/ipban.php
(http://localhost/nuke76/includes/ipban.php) 

-----------/includes/ipban.php--------------
15: global $prefix, $db;
16: $ip = $_SERVER["REMOTE_ADDR"];
17: $numrow = $db->sql_numrows($db->sql_query("SELECT id FROM
".$prefix."_banned_ip
                                                          WHERE
ip_address='$ip'"));
18: if ($numrow != 0) {
19:     echo "<br><br><center><img src='images\admin\ipban.gif'><br><br><b>You 
has 
                                     been banned by the
administrator</b></center>";
20:     die();
21: }
--------------------------------------------

Result:
Fatal error: Call to a member function on a non-object in
 /home/localhost/public_html/nuke76/includes/ipban.php on line 17

########################### Vuln2

File: db/db.php
(http://localhost/nuke76/db/db.php)

--------/db/db.php------------
49:switch($dbtype) {
50: case 'MySQL':
51: include("".$the_include."/mysql.php");#
52: break;
(...)
85: $db = new sql_db($dbhost, $dbuname, $dbpass, $dbname, false);
86: if(!$db->db_connect_id) {#
87: die("<br><br><center><img src=images/logo.gif><br><br><b>There
seems to be a problem with the MySQL server, sorry for the
inconvenience.<br><br>We should be back shortly.</center></b>");
88: }
-----------------------------

Result:
Fatal error: Cannot instantiate non-existent class: sql_db in 
/home/localhost/public_html/nuke76/db/db.php on line 86


########################### Vuln3
File: /modules/Reviews/language/lang-norwegian.php
(http://localhost/nuke76/modules.php?name=Reviews&newlang=norwegian)

--------/modules/Reviews/language/lang-norwegian.php--------------
52: define("_INVALIDTEXT","Feil i anmeldelsestekst... Feltet kan ikke
vÃ¦re tomt\");
53: define("_INVALIDHITS","Treff mÃ¥ vÃ¦re en positiv integer");
-----------------------------------------------------------------

Result:
Parse error: parse error, unexpected T_STRING in 
/home/localhost/public_html/nuke76/modules/Reviews/language/lang-norwegian.php
on line 53

########################## Vuln4
File: /modules/Downloads/language/lang-greek.php
(http://localhost/nuke76/modules.php?name=Downloads&newlang=greek)

-------/modules/Downloads/language/lang-greek.php-----------
176: A-# define("_FILESIZE","ÃŒÃÃ£Ã¥Ã¨Ã¯Ã² Ã¡Ã±Ã·Ã¥ÃŸÃ¯Ãµ");
177: A-# define("_VERSION","Â¸ÃªÃ¤Ã¯Ã³Ã§");
178: K-# define("_UDOWNLOADS","ÃÃÃ¡ÃªÃ´ÃžÃ³Ã¥Ã(c)Ã²");
179: A-# define("_HOMEPAGE","ÃŠÃ¥ÃÃ´Ã±Ã(c)ÃªÃž Ã"Ã¥Ã«ÃŸÃ¤Ã¡ ");
------------------------------------------------------------

This is a commentary?!
Result:
Parse error: parse error, unexpected ';' in 
/home/localhost/public_html/nuke76/modules/Downloads/language/lang-greek.php
on line 181

######################### Vuln 5
File: /modules/Downloads/language/lang-indonesian.php
(http://localhost/nuke76/modules.php?name=Downloads&newlang=indonesian)

------/modules/Downloads/language/lang-indonesian.php----
59: define("_DOWNLOADSNOTUSER8","<a
href=\"modules.php?name=Your_Account&">Daftar di sini</a>");
60: define("_DOWNLOADALREADYEXT","ERROR: Alamat URL sudah ada dalam database!");
---------------------------------------------------------

Resultando em:
Parse error: parse error, unexpected T_STRING in 
/home/localhost/public_html/nuke76/modules/Downloads/language/lang-indonesian.php
on line 59


---------------------------------------------------------------------------
(more)

Vulnerabilities founds by guilherme <guilherme@xxxxxxxxxxxxxxxxxxx>


########################### Vuln6

File: /modules/Web_Links/language/lang-portuguese.php

If called the module Web_Links with portuguese language,
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Web_Links&newlang=portuguese)

Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Web_Links/language/lang-portuguese.php
on line 171

---------/modules/Web_Links/language/lang-portuguese.php----------------

169: define("_REMOTEFORM","Forma de Avaliação a Distância");
170: define("_PROMOTE04","Se você nos enganar, nós removeremos seu
link. Temos dito
     isto, aqui como uma forma de avaliação remota e
171: define("_VOTE4THISSITE","Vote neste Site!");
172: define("_LINKVOTE","Vote!");
----------------------------

########################### Vuln7

File: /modules/Web_Links/language/lang-indonesian.php

If called the module Web_Links with indonesian language,
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Web_Links&newlang=indonesian)

Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Web_Links/language/lang-indonesian.php
on line 170

---------/modules/Web_Links/language/lang-indonesian.php----------------

169: define("_LOOKTOREQUEST","Kami akan memeriksa laporan anda.");
170: define("_ONLYREGUSERSMODIFY","Hanya member yang bisa meminta modifikasi 
      link. Silakan daftar atau login <a
href=\"/modules.php?name=Your_Account&">di sini</a>.");
171: define("_REQUESTLINKMOD","Permohonan Modifikasi Link Situs");
------------------------

########################### Vuln8

File: /modules/Surveys/language/lang-indonesian.php 

If called the module Surveys with indonesian language, 
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Surveys&newlang=indonesian)

Parse error: parse error, unexpected T_STRING in 
/home/localhost/public_html/nuke76/modules/Surveys/language/lang-indonesian.php
on line 40

---------/modules/Surveys/language/lang-indonesian.php----------------
39: define("_NOSUBJECT","Tanpa Subjek");
40: define("_NOANONCOMMENTS","Anda tidak dibolehkan mengirim komentar, 
    silakan daftar <a href=\"modules.php?name=Your_Account&">di sini</a>");
41: define("_PARENT","Setingkat ke atas");
------------------------------


########################### Vuln9

File: /modules/Reviews/language/lang-portuguese.php

If called the module Reviews with portuguese language, 
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Reviews&newlang=portuguese)

Parse error: parse error, unexpected T_STRING in 
/home/localhost/public_html/nuke76/modules/Reviews/language/lang-portuguese.php
on line 89

---------/modules/Reviews/language/lang-portuguese.php----------------
88: define("_YOURNICK","O seu nome:");
89: define("_RCREATEACCOUNT","<a
href="modules.php?name=Your_Account&op=new_user\"><b>Crie</b></a> uma
conta");
87: define("_YOURCOMMENT","O seu comentário:");
-----------

########################### Vuln10

File: /modules/Journal/language/lang-portuguese.php

If called the module Journal with portuguese language, 
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Journal&newlang=portuguese)

Parse error: parse error, unexpected T_STRING in 
/home/localhost/public_html/nuke76/modules/Journal/language/lang-portuguese.php
on line 31

---------/modules/Journal/language/lang-portuguese.php----------------
29: define("_ADDJOURNAL","Adicionar uma entrada no diário");
30: define("_ADDENTRY","Adicionar uma nova entrada);
31: define("_YOURLAST20","As suas 20 entradas");
-----------------------

---------------------------------------------------------------------------
How to fix:
http://www.project-restart.org

---------------------------------------------------------------------------

TimeLine:
25/04/2005 - php-nuke install into our server (downloaded default 7.6
from phpnuke.org)
26/04/2005 - Luis found the firsts vulns and begin find more
27/04/2005 - Guilherme found many vulns into language files
28/04/2005 - Luis see all language files and found more vulns
29/04/2005 - report sent and vendor contacted

Contact:
---------------------------------------------------------------------------

Luis (22) - luis@xxxxxxxxxxxxxxxxxxx
Guilherme (GBR) - guilherme@xxxxxxxxxxxxxxxxxxx
Rodrigo (digão) - rodrigo@xxxxxxxxxxxxxxxxxxx

Homepage: http://www.project-restart.org/

That God mercy our soul!

(Ps. Sorry our bad english, we are Brazilians boys, =D)

Prev by Date: MDKSA-2005:080 - Updated libxpm4 packages fix libXpm vulnerabilities
Next by Date: MDKSA-2005:079 - Updated perl packages to fix rmtree vulnerability
Previous by thread: MDKSA-2005:080 - Updated libxpm4 packages fix libXpm vulnerabilities
Next by thread: MDKSA-2005:079 - Updated perl packages to fix rmtree vulnerability
Index(es):
- Date
- Thread