[UNIX] PHPNuke module.php Vulnerability and PHP error_reporting Issue

From: support@securiteam.com
Date: 12/23/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 23 Dec 2001 05:26:27 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  PHPNuke module.php Vulnerability and PHP error_reporting Issue
------------------------------------------------------------------------

SUMMARY

There are many Cross-Site Scripting issue in the PHPNuke modules and other
web application using PHP.

This cross-site Scripting error is present because:
[1] There are no checks on the user provided input in module.php.
[2] PHP does not deal well with error reporting.

DETAILS

Vulnerable code: 

---
include("modules/$name/$file.php");
---

Exploit:
http://www.example.com/modules.php?op=modload&name=XForum&file=[hostilejavascript]&fid=2

Hostile JavaScript could be:
{script}alert(document.cookie);{/script} that display your cookie. replace 
{} by <>

This crafted URL causes the module.php script to make a PHP error report 
of the sorts of:
---
Warning: Failed opening 'modules/XForum/.php' for inclusion 
(include_path='') in /home/foo/htdocs/modules.php on line 27
---

When your browser displays the error reporting, it will also parse the 
hostile JavaScript.

Workaround:
Just turn off PHP error reporting.

Possible patch:
The error_reporting function should check for bad inputs.

Temporary fix for PHPNuke module.php:

---start of module.php---
error_reporting(0); //Add this line, Just turn off error_reporting

//original file

switch($op) {

    case "modload":/
 if (!isset($mainfile)) { include("mainfile.php"); }
 if (ereg("\.\.",$name) || ereg("\.\.",$file)) {
     echo "You are so cool";
     break;
 } else {
     include("modules/$name/$file.php");
 }
 break;

    default:
 die ("Sorry, you can't access this file directly...");
 break;

}

---end of module.php---

ADDITIONAL INFORMATION

The information has been provided by  
<mailto:aurelien.cabezon@isecurelabs.com> Cabezon Aurélien.

======================================== 

This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 

==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.