[UNIX] PHP-Nuke mail CRLF Injection Vulnerabilities

• Previous message: support@securiteam.com: "[UNIX] Security Problems Found with mkstemp()"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 22 Dec 2002 13:57:58 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  PHP-Nuke mail CRLF Injection Vulnerabilities
------------------------------------------------------------------------

SUMMARY

PHP-Nuke is a Web portal and online community system which includes
Web-based administration, surveys, access statistics, user customizable
boxes, a themes manager for registered users, friendly administration GUI
with graphic topic manager, the ability to edit or delete stories, an
option to delete comments, a moderation system, referer tracking,
integrated banner ad system, search engine, backend/headlines generation
(RSS/RDF format), Web directory like Yahoo, events manager, and support
for 20+ languages.

PHP-Nuke is published under the terms of the GNU General Public License.
It is a very popular program with lots and lots of installations. It is
included as one of the packages in Debian GNU/Linux and one of FreeBSD's
ports.

A security vulnerability in the product allows remote attackers to inject
CRLF characters into the mail sending's functionality, allowing them to
spoof emails, send SPAM, etc.

DETAILS

Vulnerable systems:
 * PHP-Nuke version 6.0

PHP-Nuke has got four functions that allow restricted sending of e-mails:
Feedback, Recommend Us, Send (news item) to a Friend and Send this Journal
to a Friend. They either restrict who you can send e-mails to or what
message you can send to them. They are open for anonymous users as well as
regular users.

By submitting special data, an attacker can escape these restrictions and
use someone else's PHP-Nuke installation to send HTML e-mails to any
recipient with any message that they like.

Technical details:
The fourth parameter to PHP's mail() function contains the additional mail
headers that PHP doesn't have a special parameter for. In this case, it's
used to add From and Reply-To headers. When PHP-Nuke constructs the value
for this parameter, it doesn't check the form data it's using for CR and
LF characters. As a result, an attacker can supply extra mail headers and
even an extra mail body, and they will be included in the mail between the
real headers and the real body. This is done by simply including CR and LF
characters in the form data field that contains your e-mail address. If
the attacker includes an HTML message ending with a "<!--" tag or a
"<font color='something'>" tag that sets the foreground colour to the
background color, the real mail body will not be shown in many programs.

Vendor status:
Ulf didn't contact the vendor, as Fransisco has a very bad track record
when it comes to replying to security reports.

Ulf "SECURITY HARDENING PACKAGE":
Instead Ulf wrote an unofficial patch for this issue. Ulf has patched
against version 6.0.

The patch simply replaces all CR and LF characters in the vulnerable
variables with spaces, and then the exploit doesn't work anymore.

--- html/mainfile.php.old Thu Dec 19 19:17:10 2002
+++ html/mainfile.php Thu Dec 19 19:24:00 2002
@@ -870,4 +870,13 @@
     return($ThemeSel);
 }
 
-?>
\ No newline at end of file
+#
+# Security fix
+# Ulf Harnhammar, VSU Security 2002
+#
+
+function removecrlf($str) {
+ return strtr($str, "\015\012", ' ');
+}
+
+?>
--- html/modules/Feedback/index.php.old Thu Dec 19 19:26:44 2002
+++ html/modules/Feedback/index.php Thu Dec 19 19:28:34 2002
@@ -69,6 +69,8 @@
         $send = "no";
     }
     if ($send != "no") {
+ $sender_name = removecrlf($sender_name); # Security fix
+ $sender_email = removecrlf($sender_email);
         $msg = "$sitename\n\n";
         $msg .= ""._SENDERNAME.": $sender_name\n";
         $msg .= ""._SENDEREMAIL.": $sender_email\n";
@@ -93,4 +95,4 @@
 CloseTable();
 include("footer.php");
 
-?>
\ No newline at end of file
+?>
--- html/modules/Journal/friend.php.old Thu Dec 19 21:23:27 2002
+++ html/modules/Journal/friend.php Thu Dec 19 21:25:22 2002
@@ -38,6 +38,11 @@
 list ($jtitle) = sql_fetch_row($result, $dbi);
 
 if ($send == 1) {
+ $fname = removecrlf($fname); # Security fix
+ $fmail = removecrlf($fmail);
+ $yname = removecrlf($yname);
+ $ymail = removecrlf($ymail);
+
     $subject = ""._INTERESTING." $sitename";
     $message = ""._HELLO." $fname:\n\n"._YOURFRIEND." $yname
"._CONSIDERED."\n\n\n$jtitle\n"._URL.":
$nukeurl/modules.php?name=$module_name&file=display&jid=$jid\n\n\n"._AREMORE."\n\n---\n$sitename\n$nukeurl";
     mail($fmail, $subject, $message, "From: \"$yname\"
<$ymail>\nX-Mailer: PHP/" . phpversion());
@@ -82,4 +87,4 @@
 
 journalfoot();
 
-?>
\ No newline at end of file
+?>
--- html/modules/News/friend.php.old Thu Dec 19 20:05:53 2002
+++ html/modules/News/friend.php Thu Dec 19 20:16:24 2002
@@ -50,6 +50,11 @@
 function SendStory($sid, $yname, $ymail, $fname, $fmail) {
     global $sitename, $nukeurl, $prefix, $dbi, $module_name;
 
+ $fname = removecrlf($fname); # Security fix
+ $fmail = removecrlf($fmail);
+ $yname = removecrlf($yname);
+ $ymail = removecrlf($ymail);
+
     $result2=sql_query("select title, time, topic from
".$prefix."_stories where sid=$sid", $dbi);
     list($title, $time, $topic) = sql_fetch_row($result2, $dbi);
 
@@ -90,4 +95,4 @@
 
 }
 
-?>
\ No newline at end of file
+?>
--- html/modules/Recommend_Us/index.php.old Thu Dec 19 20:00:45 2002
+++ html/modules/Recommend_Us/index.php Thu Dec 19 20:02:45 2002
@@ -45,6 +45,9 @@
 
 function SendSite($yname, $ymail, $fname, $fmail) {
     global $sitename, $slogan, $nukeurl, $module_name;
+ $fmail = removecrlf($fmail); # Security fix
+ $yname = removecrlf($yname);
+ $ymail = removecrlf($ymail);
     $subject = ""._INTSITE." $sitename";
     $message = ""._HELLO." $fname:\n\n"._YOURFRIEND." $yname "._OURSITE."
$sitename "._INTSENT."\n\n\n"._FSITENAME."
$sitename\n$slogan\n"._FSITEURL." $nukeurl\n";
     mail($fmail, $subject, $message, "From: \"$yname\"
<$ymail>\nX-Mailer: PHP/" . phpversion());
@@ -76,4 +79,4 @@
 
 }
 
-?>
\ No newline at end of file
+?>

ADDITIONAL INFORMATION

The information has been provided by <mailto:ulfh@update.uu.se> Ulf
Harnhammar.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[EXPL] Melange Chat System Remote Exploit Code Released"
• Previous message: support@securiteam.com: "[UNIX] Security Problems Found with mkstemp()"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]