PHP-Nuke <= 8.0 Cookie Manipulation (lang)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PHP-Nuke <= 8.0 Cookie Manipulation (lang)
From: programmer@xxxxxxxxxxxxxxx
Date: 10 Mar 2007 02:46:39 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

/////////////////////////////////////////////////////////////////////////////////////////////////////
PHPNuke <= 8.0 Cookie Manipulation (lang)

PROGRAM: PHP-Nuke
HOMEPAGE: http://phpnuke.org/
VERSION: All version
BUG: Cookie Manipulation (lang) (SQL Injection + Local file include)
AUTHOR: Aleksandar aka sale83

///////////////////////////////////////////////////////////////////////////////////////////////////////
PHP.ini
Magic Quotes  = OFF 
//////////////////////////////////////////////////////////////////////////////////////////////////////
PHP-Nuke - >Preferences - > Multilingual Options-> On (Activate Multilingual 
features?  = YES)
/////////////////////////////////////////////////////////////////////////////////////////////////////

Bug is found in mainfile.php line 327.

// Line 327 Bug is here 
} elseif (isset($lang)) {
        include_once("language/lang-".$lang.".php"); // This can be exploited 
by malicious users: ex: /../../robots.txt%00 Multilingual Options=OFF
        $currentlang = $lang; // This can be exploited by malicious users. 
ex:SQL Injection in Top and News Module ($currentlang) Multilingual Options = On
} else {

/////////////////////////////////////////////////////////////////////////////////////////////////

This flaw is due to an error when handling the "lang" cookie parameter, which 
could be exploited by malicious users because $lang is not filtered. 


Tested On:
Windows XP
Linux SlackWare 10.2
PHP Version 5.1.4
PHPNuke 8.0 ,7.9,7.6
Magic Quotes = OFF
Firefox  2 + Add N Edit Cookies Add-ons


/////////////////////////////////////////////////////////////////////////////////////////////////
Patch:

} elseif (isset($lang)) {
   if (eregi('[A-Za-z]', $lang)) {
      if (file_exists("language/lang-".$lang.".php")) {
               include_once("language/lang-".$lang.".php");
                $currentlang = $lang;
            }else {
                  include_once("language/lang-english.php");
                        $currentlang = "english";
                } 
          }else {
           include_once("language/lang-english.php");
           $currentlang = "english";
          }
} else {

/////////////////////////////////////////////////////////////////////////////////////////////////
Best Regards
Aleksandar
Programmer and Web Developer
///////////////////////////////////////////////////////////////////////////////////////////////

Follow-Ups:
- Re: PHP-Nuke <= 8.0 Cookie Manipulation (lang)
  - From: Paul Laudanski

Prev by Date: [Argeniss] Practical 10 minutes security audit: Oracle Case (Paper)
Next by Date: Remote File Include In Script Premod SubDog 2
Previous by thread: [Argeniss] Practical 10 minutes security audit: Oracle Case (Paper)
Next by thread: Re: PHP-Nuke <= 8.0 Cookie Manipulation (lang)
Index(es):
- Date
- Thread