[UNIX] phpNuke Vulnerable to Multiple Security Holes (Administrative Privileges, DoS)
From: support@securiteam.comDate: 08/08/01
- Next message: support@securiteam.com: "[NEWS] Multiple Vulnerabilities in Avaya Argent Office"
- Previous message: support@securiteam.com: "[TOOL] TCPTraceRoute, a TCP Based Route Finder"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] phpNuke Vulnerable to Multiple Security Holes (Administrative Privileges, DoS) Message-Id: <20010808210416.95ABB138C4@mail.der-keiler.de> Date: Wed, 8 Aug 2001 23:04:16 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
phpNuke Vulnerable to Multiple Security Holes (Administrative Privileges,
DoS)
------------------------------------------------------------------------
SUMMARY
<http://www.phpnuke.org> phpNuke is an open source webpage portal that
powers many websites on the net. phpNuke does not properly sanitize input
variables, making it vulnerable to an attack that would give an intruder
administrative privileges.
DETAILS
Vulnerable systems:
phpNuke version 5.x
This vulnerability is only possible if the intruder knows the database
name that phpNuke is using, and the web server must be able to connect to
it (the database) without a password. Although it is very unlikely that
these two circumstances will occur, this is a bug still worth mentioning.
phpNuke include a new feature involving a variable named $prefix:
< Quote from phpNuke release >
"All database tables now has the nuke_ prefix to avoid conflicts with
other scripts"
- New $prefix variable in config.php to setup multiple Nuke sites sharing
one database"
</ End Quote >
The $prefix variable is defined in the config.php file and is set to
'nuke' by default. Along with a default database of 'nuke'.
< Sample default config.php file >
$dbhost = "localhost";
$dbuname = "root";
$dbpass = "";
$dbname = "nuke";
$system = 0;
$prefix = nuke;
</ End Sample >
An attacker can take advantage of this new feature by supplying a certain
value for the $prefix variable and creating their own arbitrary SQL query.
In the article.php file this is most easily accomplished by bypassing the
inclusion of the mainfile.php and supplying a value for $sid and $tid.
(Bypassing mainfile.php inclusion is important because mainfile.php itself
includes config.php which has the variable definition for $prefix, and if
$prefix is not defined then an attacker can supply her own value)
< sample code from article.php >
if(!isset($mainfile)) { include("mainfile.php"); }
if(!isset($sid) && !isset($tid)) { exit(); }
</ end sample code>
The flow of the program will then eventually enter the following SQL
query:
< example query from article.php >
mysql_query("UPDATE $prefix"._stories." SET
counter=counter+1 where sid=$sid");
< / end example query >
So the following command will set all admin passwords to '1'. Given that
'nuke' is the name of the phpNuke database.
article.php?mainfile=1&sid=1&tid=1&prefix=nuke.authors%20set%20pwd=1%23
DoS condition:
In addition, in file 'modules.php' there is a possible denial of service
situation where an attacker could cause the file to recursively include
itself (or any PHP file on the system, because phpNuke does not check for
'../') by using the following URL:
http://site_name_with_phpnuke/modules.php?op=modload&name=../&file=modules
Resources were consumed quickly in the tests that were performed.
Another way to get administrator privileges:
The fact that any .php file on the system can be included, means that if
another user has an account on the same machine that phpNuke is running
on, he can cause phpNuke to include his .php file (if he chmod it to
readable by everyone) and his own arbitrary code will run with permissions
of the phpNuke user. This would lead to easy administrative access of the
portal, and access to any of the phpNuke user's files.
ADDITIONAL INFORMATION
The information has been provided by <mailto:kill-9@modernhackers.com>
kill-9.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NEWS] Multiple Vulnerabilities in Avaya Argent Office"
- Previous message: support@securiteam.com: "[TOOL] TCPTraceRoute, a TCP Based Route Finder"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
