Multiples Full Path Disclosure in php-nuke 7.6 (and below)
Multiples Full Path Disclosure in php-nuke 7.6 (and below)
---------------------------------------------------------------------------
Author: project-restart
Date: 27. April 2005
Location: Brazil
Web: http://www.project-restart.org/
Target: PHP-nuke 7.6 (and below)
---------------------------------------------------------------------------
Target software description:
Php-Nuke is a popular opensource content management system, written in php by
Francisco Burzi. This CMS is used on many thousands websites, because it's
freeware(7.7 no ¬¬), easy to install and manage and has broad set of features.
Homepage: http://phpnuke.org
---------------------------------------------------------------------------
Vulnerabilities founds by luis <luis@xxxxxxxxxxxxxxxxxxx>
########################### Vuln1
File: includes/ipban.php
(http://localhost/nuke76/includes/ipban.php)
-----------/includes/ipban.php--------------
15: global $prefix, $db;
16: $ip = $_SERVER["REMOTE_ADDR"];
17: $numrow = $db->sql_numrows($db->sql_query("SELECT id FROM
".$prefix."_banned_ip
WHERE
ip_address='$ip'"));
18: if ($numrow != 0) {
19: echo "<br><br><center><img src='images\admin\ipban.gif'><br><br><b>You
has
been banned by the
administrator</b></center>";
20: die();
21: }
--------------------------------------------
Result:
Fatal error: Call to a member function on a non-object in
/home/localhost/public_html/nuke76/includes/ipban.php on line 17
########################### Vuln2
File: db/db.php
(http://localhost/nuke76/db/db.php)
--------/db/db.php------------
49:switch($dbtype) {
50: case 'MySQL':
51: include("".$the_include."/mysql.php");#
52: break;
(...)
85: $db = new sql_db($dbhost, $dbuname, $dbpass, $dbname, false);
86: if(!$db->db_connect_id) {#
87: die("<br><br><center><img src=images/logo.gif><br><br><b>There
seems to be a problem with the MySQL server, sorry for the
inconvenience.<br><br>We should be back shortly.</center></b>");
88: }
-----------------------------
Result:
Fatal error: Cannot instantiate non-existent class: sql_db in
/home/localhost/public_html/nuke76/db/db.php on line 86
########################### Vuln3
File: /modules/Reviews/language/lang-norwegian.php
(http://localhost/nuke76/modules.php?name=Reviews&newlang=norwegian)
--------/modules/Reviews/language/lang-norwegian.php--------------
52: define("_INVALIDTEXT","Feil i anmeldelsestekst... Feltet kan ikke
være tomt\");
53: define("_INVALIDHITS","Treff må være en positiv integer");
-----------------------------------------------------------------
Result:
Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Reviews/language/lang-norwegian.php
on line 53
########################## Vuln4
File: /modules/Downloads/language/lang-greek.php
(http://localhost/nuke76/modules.php?name=Downloads&newlang=greek)
-------/modules/Downloads/language/lang-greek.php-----------
176: A-# define("_FILESIZE","ÃŒÃãåèïò áñ÷åßïõ");
177: A-# define("_VERSION","¸êäïóç");
178: K-# define("_UDOWNLOADS","ÃÃáêôÞóåÃ(c)ò");
179: A-# define("_HOMEPAGE","ÊåÃôñÃ(c)êÞ Ã"åëßäá ");
------------------------------------------------------------
This is a commentary?!
Result:
Parse error: parse error, unexpected ';' in
/home/localhost/public_html/nuke76/modules/Downloads/language/lang-greek.php
on line 181
######################### Vuln 5
File: /modules/Downloads/language/lang-indonesian.php
(http://localhost/nuke76/modules.php?name=Downloads&newlang=indonesian)
------/modules/Downloads/language/lang-indonesian.php----
59: define("_DOWNLOADSNOTUSER8","<a
href=\"modules.php?name=Your_Account&">Daftar di sini</a>");
60: define("_DOWNLOADALREADYEXT","ERROR: Alamat URL sudah ada dalam database!");
---------------------------------------------------------
Resultando em:
Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Downloads/language/lang-indonesian.php
on line 59
---------------------------------------------------------------------------
(more)
Vulnerabilities founds by guilherme <guilherme@xxxxxxxxxxxxxxxxxxx>
########################### Vuln6
File: /modules/Web_Links/language/lang-portuguese.php
If called the module Web_Links with portuguese language,
it returns the way from the archive in the server.
(http://localhost/nuke76/modules.php?name=Web_Links&newlang=portuguese)
Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Web_Links/language/lang-portuguese.php
on line 171
---------/modules/Web_Links/language/lang-portuguese.php----------------
169: define("_REMOTEFORM","Forma de Avaliação a Distância");
170: define("_PROMOTE04","Se você nos enganar, nós removeremos seu
link. Temos dito
isto, aqui como uma forma de avaliação remota e
171: define("_VOTE4THISSITE","Vote neste Site!");
172: define("_LINKVOTE","Vote!");
----------------------------
########################### Vuln7
File: /modules/Web_Links/language/lang-indonesian.php
If called the module Web_Links with indonesian language,
it returns the way from the archive in the server.
(http://localhost/nuke76/modules.php?name=Web_Links&newlang=indonesian)
Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Web_Links/language/lang-indonesian.php
on line 170
---------/modules/Web_Links/language/lang-indonesian.php----------------
169: define("_LOOKTOREQUEST","Kami akan memeriksa laporan anda.");
170: define("_ONLYREGUSERSMODIFY","Hanya member yang bisa meminta modifikasi
link. Silakan daftar atau login <a
href=\"/modules.php?name=Your_Account&">di sini</a>.");
171: define("_REQUESTLINKMOD","Permohonan Modifikasi Link Situs");
------------------------
########################### Vuln8
File: /modules/Surveys/language/lang-indonesian.php
If called the module Surveys with indonesian language,
it returns the way from the archive in the server.
(http://localhost/nuke76/modules.php?name=Surveys&newlang=indonesian)
Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Surveys/language/lang-indonesian.php
on line 40
---------/modules/Surveys/language/lang-indonesian.php----------------
39: define("_NOSUBJECT","Tanpa Subjek");
40: define("_NOANONCOMMENTS","Anda tidak dibolehkan mengirim komentar,
silakan daftar <a href=\"modules.php?name=Your_Account&">di sini</a>");
41: define("_PARENT","Setingkat ke atas");
------------------------------
########################### Vuln9
File: /modules/Reviews/language/lang-portuguese.php
If called the module Reviews with portuguese language,
it returns the way from the archive in the server.
(http://localhost/nuke76/modules.php?name=Reviews&newlang=portuguese)
Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Reviews/language/lang-portuguese.php
on line 89
---------/modules/Reviews/language/lang-portuguese.php----------------
88: define("_YOURNICK","O seu nome:");
89: define("_RCREATEACCOUNT","<a
href="modules.php?name=Your_Account&op=new_user\"><b>Crie</b></a> uma
conta");
87: define("_YOURCOMMENT","O seu comentário:");
-----------
########################### Vuln10
File: /modules/Journal/language/lang-portuguese.php
If called the module Journal with portuguese language,
it returns the way from the archive in the server.
(http://localhost/nuke76/modules.php?name=Journal&newlang=portuguese)
Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Journal/language/lang-portuguese.php
on line 31
---------/modules/Journal/language/lang-portuguese.php----------------
29: define("_ADDJOURNAL","Adicionar uma entrada no diário");
30: define("_ADDENTRY","Adicionar uma nova entrada);
31: define("_YOURLAST20","As suas 20 entradas");
-----------------------
---------------------------------------------------------------------------
How to fix:
http://www.project-restart.org
---------------------------------------------------------------------------
TimeLine:
25/04/2005 - php-nuke install into our server (downloaded default 7.6
from phpnuke.org)
26/04/2005 - Luis found the firsts vulns and begin find more
27/04/2005 - Guilherme found many vulns into language files
28/04/2005 - Luis see all language files and found more vulns
29/04/2005 - report sent and vendor contacted
Contact:
---------------------------------------------------------------------------
Luis (22) - luis@xxxxxxxxxxxxxxxxxxx
Guilherme (GBR) - guilherme@xxxxxxxxxxxxxxxxxxx
Rodrigo (digão) - rodrigo@xxxxxxxxxxxxxxxxxxx
Homepage: http://www.project-restart.org/
That God mercy our soul!
(Ps. Sorry our bad english, we are Brazilians boys, =D)