[UNIX] PHP-Nuke Referer Hijacking (HTTP_REFERER)
From: support@securiteam.com
Date: 03/19/03
- Previous message: support@securiteam.com: "[REVS] An Overview of UNIX Rootkits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 19 Mar 2003 13:51:39 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
PHP-Nuke Referer Hijacking (HTTP_REFERER)
------------------------------------------------------------------------
SUMMARY
A vulnerability in <http://www.phpnuke.org/> PHP-Nuke a "news automated
system specially designed to be used in Intranets and the Internet" allows
attackers to hijack the administrator's cookie, thus gaining elevated
privileges to the PHP-Nuke system.
DETAILS
There is no check on the $referer variable when inserted into the backend
database. This could allow attackers to hijack the administrator's cookie
that contains login and password information.
The fix should be applied to the next release of PHP-Nuke (either the
current RC3 or next). The exact coding may vary pending on your version of
PHP-Nuke, but look for this around line 24 of "index.php":
$referer = getenv("HTTP_REFERER");
Immediately after this line of code, add the following security filter:
$referer = htmlspecialchars(strip_tags($referer));
This will strip away those nasty JavaScript tags that can currently hijack
an administrator's cookie when viewing the list of referers via the Admin
panel in PHP-Nuke.
Again, if the line of code above to find doesn't match, it may look
something like this too:
$referer = $_SERVER['HTTP_REFERER'];
If that is the line you have then again, add the following line of code
immediately after it:
$referer = htmlspecialchars(strip_tags($referer));
This may not only apply to PHP-Nuke as most developers tend not to think
of protecting this kind of variable. So check all your web applications.
One such application that shows a list of referer's on a PHP-Nuke site is
developed by Nuke Styles called MS-Analysis. No testing of this
application has been done, but there may be a risk in hijacking regular
user cookies if the index.php file is left un-patched. Example of
MS-Analysis:
Vendor status:
Francisco Burzi, the author of PHP-Nuke, was advised about this a couple
weeks ago.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:zx@computercops.propagation.net> zx.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[REVS] An Overview of UNIX Rootkits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
