[UNIX] PHPX Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 05/06/04

  • Next message: SecuriTeam: "[NEWS] DeleGate SSL Filter Buffer Overflow"
    To: list@securiteam.com
    Date: 6 May 2004 18:40:25 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      PHPX Multiple Vulnerabilities


     <http://www.phpx.org> PHPX is a constantly evolving and changing Content
    Management System (CMS). PHPX is highly customizable and high-powered all
    in one system. PHPX provides content management combined with the power of
    a portal by including in the core package modules such as FAQ, polls, and

    PHPX is prone to cross-site scripting, path disclosure and arbitrary
    command execution attacks.


    Vulnerable Systems:
     * PHPX version 3.26 and prior

    Immune Systems:
     * PHPX version 3.3.0

    Cross-site Scripting
    PHPX uses a function in the includes/functions.inc.php file that strips
    out bad stuff from the URI. The function is called checkURI(). The
    function is not written properly and does not do a good job of sanitizing
    the input received. Taking a closer look:

    function checkURI(){
       $checkArray = array(">","<","(",")");
       foreach($checkArray as $c){
         if (substr_count($_SERVER["REQUEST_URI"], $c)){ die("HACK ATTEMPT");

    It is clearly evident that only a few special characters are filtered out
    and no special care is taken when the characters are encoded in a
    different encoding scheme. Examples of such encoded URLs are presented

    Where VID is should be a valid id of some sorts depending on the function
    that is called. Yet, other XSS attacks are possible and the list provided
    is by no means complete.

    Path Disclosure
    It is possible for an attacker to learn the full physical path of the PHPX
    installation. This can be accomplished by sending a null or invalid value
    to several instances of the $limit variable.

    For example:

    The result would be a MySQL_fetch_row() error that would reveal the full
    path to the PHPX installation.

    Arbitrary Command Execution
    Since there is neither session ID nor any type of key for validation of
    session commands, all an attacker has to do is send an admin a private
    message or make a malicious post with the desired command and the command
    will silently execute.


    If any one of these commands were placed in an image tag an attacker could
    delete users, news items, pages, images, polls, word censors, flags, xcode
    and probably more.

    Quoting JeiAr:
    "In the past I have seen phpBB for example deal with the same issue of
    using unsafe GET requests by limiting the bbcode to only allow images with
    a valid extension. However this is a bad idea because it does not solve
    the problem at all, and to this day all phpBB versions are vulnerable to
    having arbitrary posts deleted and more just by visiting a malicious web
    page or link. It is a serious issue and should be treated as such. It
    greatly impacts the security of a web application. Even using the POST
    method without an auth key or the like is a bad idea."

    Vendor Status:
    The lead developer of the project was first informed over a month ago. The
    features have been addressed and a new more secure auth_key schema has
    been added in order to validate actions. Upgrade to version 3.3.0.


    The information has been provided by <mailto:security@gulftech.org>


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] DeleGate SSL Filter Buffer Overflow"