[UNIX] PHP-Nuke Referer Hijacking (HTTP_REFERER)

From: support@securiteam.com
Date: 03/19/03

  • Next message: support@securiteam.com: "[EXPL] Locator Service Buffer Overflow Exploit Code"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 19 Mar 2003 13:51:39 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      PHP-Nuke Referer Hijacking (HTTP_REFERER)


    A vulnerability in <http://www.phpnuke.org/> PHP-Nuke a "news automated
    system specially designed to be used in Intranets and the Internet" allows
    attackers to hijack the administrator's cookie, thus gaining elevated
    privileges to the PHP-Nuke system.


    There is no check on the $referer variable when inserted into the backend
    database. This could allow attackers to hijack the administrator's cookie
    that contains login and password information.

    The fix should be applied to the next release of PHP-Nuke (either the
    current RC3 or next). The exact coding may vary pending on your version of
    PHP-Nuke, but look for this around line 24 of "index.php":

    $referer = getenv("HTTP_REFERER");

    Immediately after this line of code, add the following security filter:
    $referer = htmlspecialchars(strip_tags($referer));

    This will strip away those nasty JavaScript tags that can currently hijack
    an administrator's cookie when viewing the list of referers via the Admin
    panel in PHP-Nuke.

    Again, if the line of code above to find doesn't match, it may look
    something like this too:
    $referer = $_SERVER['HTTP_REFERER'];

    If that is the line you have then again, add the following line of code
    immediately after it:
    $referer = htmlspecialchars(strip_tags($referer));

    This may not only apply to PHP-Nuke as most developers tend not to think
    of protecting this kind of variable. So check all your web applications.

    One such application that shows a list of referer's on a PHP-Nuke site is
    developed by Nuke Styles called MS-Analysis. No testing of this
    application has been done, but there may be a risk in hijacking regular
    user cookies if the index.php file is left un-patched. Example of

    Vendor status:
    Francisco Burzi, the author of PHP-Nuke, was advised about this a couple
    weeks ago.


    The information has been provided by
    <mailto:zx@computercops.propagation.net> zx.


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: support@securiteam.com: "[EXPL] Locator Service Buffer Overflow Exploit Code"