[UNIX] Inadequate Security Checking in OSC2Nuke
From: SecuriTeam (support_at_securiteam.com)
Date: 06/02/04
- Previous message: SecuriTeam: "[NEWS] VocalTec VoIP Gateway (vtg120, vtg480) DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 2 Jun 2004 17:19:35 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Inadequate Security Checking in OSC2Nuke
------------------------------------------------------------------------
SUMMARY
<http://www.osc2nuke.org/> OSC2Nuke "is an open source project combining
the functionality of PHPNuke's portal system with OSCommerce's shopping
cart software. Run by the Dreamlite development team, this project has
been active since mid-2003. <http://www.oscnukelite.org/> OSCNukeLite is
the predecessor of OSC2Nuke". Due to inadequate security checks, the
product can be made vulnerable to file inclusion attacks, SQL injection,
path disclosure, etc.
DETAILS
Vulnerable Systems:
* OSC2Nuke 7x version 1
* OSCNukeLite V3.1 and earlier
PHPNuke's software is a major component in this project thus it suffers
from the same security weakness as its parent.
In an effort to secure files from being directly accessed by outside
visitors, developers added a simple security checking mechanism. If the
checker evaluates to false, the remaining code inside the file is
executed. If it evaluates to true, the script aborts or the visitor is
redirected to another page.
The process consists of capturing the currently executing script's path
and filename with the global variable $_SERVER['PHP_SELF']. Using PHP's
built-in function eregi(), this value is then compared against the
script's name which should be the sole access point.
Example:
if (!eregi("modules.php", $_SERVER['PHP_SELF'])) { die ("Access Denied");
}
In this example, a file with the above snippet will continue executing if
it was accessed by another file containing the letters "modules.php"
(without quotes) otherwise the script aborts returning the words "Access
Denied".
Using eregi() with the NOT logical operator as done by the developers is a
very poor way to control file access because anyone can easily manipulate
a URL and add the missing component thereby forcing the security check to
always evaluate to false and gain unfettered entry.
Exploitation Example:
By accessing the following URL:
http://www.domain.com/modules/catalog/checkout_process.php/modules.php,
the vulnerability can be observed.
Impact:
In the majority of cases here, exploitation of this vulnerability will
display full path disclosure and not continue further code execution where
intrusion or damage might occur. In a much smaller number of cases, the
code may continue executing and possibly allow outsiders unwanted access
to some restricted areas on the site. Those who have setup their servers
to look in the main directory when a file is not located in the current
one may see a higher percentage of unwanted access and a lower percentage
of full path disclosures than others.
OSC2Nuke's code was not analyzed on whether additional vulnerabilities are
possible due to this security weakness. However, files where potential SQL
injections might occur are flagged below.
Affected Files:
Although an effort was made to identify all affected files (~295 total of
which ~86 have no security check), we leave it up to the developers/users
to do their own verification to ensure no files were inadvertently missed.
Note 1 --> /admin/case/case.adminfaq.php
Note 1 --> /admin/case/case.authors.php
Note 1 --> /admin/case/case.backup.php
Note 1 --> /admin/case/case.banners.php
Note 1 --> /admin/case/case.blocks.php
Note 1 --> /admin/case/case.comments.php
Note 1 --> /admin/case/case.content.php
Note 1 --> /admin/case/case.download.php
Note 1 --> /admin/case/case.encyclopedia.php
Note 1 --> /admin/case/case.ephemerids.php
Note 1 --> /admin/case/case.forums.php
Note 1 --> /admin/case/case.groups.php
Note 1 --> /admin/case/case.links.php
Note 1 --> /admin/case/case.messages.php
Note 1 --> /admin/case/case.modules.php
Note 1 --> /admin/case/case.newsletter.php
Note 1 --> /admin/case/case.optimize.php
Note 1 --> /admin/case/case.polls.php
Note 1 --> /admin/case/case.referers.php
Note 1 --> /admin/case/case.reviews.php
Note 1 --> /admin/case/case.sections.php
Note 1 --> /admin/case/case.settings.php
Note 1 --> /admin/case/case.stories.php
Note 1 --> /admin/case/case.topics.php
Note 1 --> /admin/case/case.users.php
Note 2 --> /admin/links/links.addstory.php
Note 2 --> /admin/links/links.backup.php
Note 2 --> /admin/links/links.banners.php
Note 2 --> /admin/links/links.blocks.php
Note 2 --> /admin/links/links.content.php
Note 2 --> /admin/links/links.download.php
Note 2 --> /admin/links/links.editadmins.php
Note 2 --> /admin/links/links.editusers.php
Note 2 --> /admin/links/links.encyclopedia.php
Note 2 --> /admin/links/links.ephemerids.php
Note 2 --> /admin/links/links.faq.php
Note 2 --> /admin/links/links.forums.php
Note 2 --> /admin/links/links.groups.php
Note 2 --> /admin/links/links.httpreferers.php
Note 2 --> /admin/links/links.messages.php
Note 2 --> /admin/links/links.modules.php
Note 2 --> /admin/links/links.newsletter.php
Note 2 --> /admin/links/links.optimize.php
Note 2 --> /admin/links/links.reviews.php
Note 2 --> /admin/links/links.sections.php
Note 2 --> /admin/links/links.settings.php
Note 2 --> /admin/links/links.submissions.php
Note 2 --> /admin/links/links.surveys.php
Note 2 --> /admin/links/links.topics.php
Note 2 --> /admin/links/links.weblinks.php
Note 3 --> /admin/modules/adminfaq.php
Note 3 --> /admin/modules/authors.php
Note 3 --> /admin/modules/backup.php
Note 3 --> /admin/modules/banners.php
Note 3 --> /admin/modules/blocks.php
Note 3 --> /admin/modules/comments.php
Note 3 --> /admin/modules/content.php
Note 3 --> /admin/modules/download.php
Note 3 --> /admin/modules/encyclopedia.php
Note 3 --> /admin/modules/ephemerids.php
Note 3 --> /admin/modules/forums.php
Note 3 --> /admin/modules/groups.php
Note 3 --> /admin/modules/links.php
Note 3 --> /admin/modules/messages.php
Note 3 --> /admin/modules/modules.php
Note 3 --> /admin/modules/newsletter.php
Note 3 --> /admin/modules/optimize.php
Note 3 --> /admin/modules/polls.php
Note 3 --> /admin/modules/referers.php
Note 3 --> /admin/modules/reviews.php
Note 3 --> /admin/modules/sections.php
Note 3 --> /admin/modules/settings.php
Note 3 --> /admin/modules/stories.php
Note 3 --> /admin/modules/topics.php
Note 3 --> /admin/modules/users.php
Note 4 --> /admin/modules/oscnuke/init.php
Note 4 --> /db/db.php
Note 1 --> /modules/AvantGo/index.php
Note 1 --> /modules/AvantGo/print.php
Note 1 --> /modules/catalog/account.php
Note 1 --> /modules/catalog/account_edit.php
Note 1 --> /modules/catalog/account_history.php
Note 1 --> /modules/catalog/account_history_info.php
Note 1 --> /modules/catalog/account_newsletters.php
Note 1 --> /modules/catalog/account_notifications.php
Note 1 --> /modules/catalog/account_book.php
Note 1 --> /modules/catalog/account_book_process.php
Note 1 --> /modules/catalog/advanced_search.php
Note 1 --> /modules/catalog/advanced_search_result.php
Note 1 --> /modules/catalog/catalog_products_with_images.php
Note 1 --> /modules/catalog/checkout_confirmation.php
Note 1 --> /modules/catalog/checkout_payment.php
Note 1 --> /modules/catalog/checkout_payment_address.php
Note 5 --> /modules/catalog/checkout_process.php
Note 1 --> /modules/catalog/checkout_shipping.php
Note 1 --> /modules/catalog/checkout_shipping_address.php
Note 1 --> /modules/catalog/checkout_success.php
Note 1 --> /modules/catalog/conditions.php
Note 1 --> /modules/catalog/cookie_usage.php
Note 1 --> /modules/catalog/customers.php
Note 2 --> /modules/catalog/download.php
Note 1 --> /modules/catalog/index.php
Note 5 --> /modules/catalog/info_shopping_cart.php
Note 6 --> /modules/catalog/ipn.php
Note 5 --> /modules/catalog/navbar.php
Note 1 --> /modules/catalog/pdf_catalogue_info.php
Note 5 --> /modules/catalog/popup_image.php
Note 5 --> /modules/catalog/popup_search_help.php
Note 2 --> /modules/catalog/print_catalog.php
Note 5 --> /modules/catalog/printorder.php
Note 5 --> /modules/catalog/privacy.php
Note 1 --> /modules/catalog/product_info.php
Note 1 --> /modules/catalog/product_reviews.php
Note 1 --> /modules/catalog/product_reviews_info.php
Note 1 --> /modules/catalog/product_reviews_write.php
Note 1 --> /modules/catalog/products_new.php
Note 2 --> /modules/catalog/redirect.php
Note 1 --> /modules/catalog/reviews.php
Note 1 --> /modules/catalog/shipping.php
Note 1 --> /modules/catalog/shopping_cart.php
Note 2 --> /modules/catalog/specials.php
Note 1 --> /modules/catalog/ssl_check.php
Note 5 --> /modules/catalog/tell_a_friend.php
Note 2 --> /modules/catalog/includes/application_bottom.php
Note 6 --> /modules/catalog/includes/application_top.php
Note 2 --> /modules/catalog/includes/column_left.php
Note 2 --> /modules/catalog/includes/column_right.php
Note 2 --> /modules/catalog/includes/counter.php
Note 2 --> /modules/catalog/includes/footer.php
Note 2 --> /modules/catalog/includes/header.php
Note 2 --> /modules/catalog/includes/print_header.php
Note 2 --> /modules/catalog/includes/spider_configure.php
Note 2 --> /modules/catalog/includes/boxes/best_sellers.php
Note 2 --> /modules/catalog/includes/boxes/categories.php
Note 2 --> /modules/catalog/includes/boxes/currencies.php
Note 2 --> /modules/catalog/includes/boxes/information.php
Note 2 --> /modules/catalog/includes/boxes/languages.php
Note 2 --> /modules/catalog/includes/boxes/manufacturer_info.php
Note 2 --> /modules/catalog/includes/boxes/manufacturers.php
Note 2 --> /modules/catalog/includes/boxes/order_history.php
Note 2 --> /modules/catalog/includes/boxes/product_notifications.php
Note 2 --> /modules/catalog/includes/boxes/reviews.php
Note 2 --> /modules/catalog/includes/boxes/search.php
Note 2 --> /modules/catalog/includes/boxes/shopping_cart.php
Note 2 --> /modules/catalog/includes/boxes/specials.php
Note 2 --> /modules/catalog/includes/boxes/tell_a_friend.php
Note 2 --> /modules/catalog/includes/boxes/whats_new.php
Note 2 --> /modules/catalog/includes/modules/additional_images.php
Note 2 --> /modules/catalog/includes/modules/address_book_details.php
Note 2 --> /modules/catalog/includes/modules/also_purchased_products.php
Note 2 --> /modules/catalog/includes/modules/checkout_new_address.php
Note 2 --> /modules/catalog/includes/modules/downloads.php
Note 2 --> /modules/catalog/includes/modules/new_products.php
Note 2 --> /modules/catalog/includes/modules/print_catalog.php
Note 2 --> /modules/catalog/includes/modules/product_listing.php
Note 2 --> /modules/catalog/includes/modules/upcoming_products.php
Note 1 --> /modules/catalog_admin/backup.php
Note 1 --> /modules/catalog_admin/banner_manager.php
Note 1 --> /modules/catalog_admin/banner_statistics.php
Note 1 --> /modules/catalog_admin/cache.php
Note 1 --> /modules/catalog_admin/categories.php
Note 2 --> /modules/catalog_admin/config.inc.php
Note 1 --> /modules/catalog_admin/configuration.php
Note 1 --> /modules/catalog_admin/countries.php
Note 1 --> /modules/catalog_admin/currencies.php
Note 1 --> /modules/catalog_admin/customers.php
Note 1 --> /modules/catalog_admin/define_language.php
Note 1 --> /modules/catalog_admin/easypopulate.php
Note 1 --> /modules/catalog_admin/file_manager.php
Note 1 --> /modules/catalog_admin/geo_zones.php
Note 1 --> /modules/catalog_admin/index.php
Note 1 --> /modules/catalog_admin/invoice.php
Note 1 --> /modules/catalog_admin/languages.php
Note 1 --> /modules/catalog_admin/mail.php
Note 1 --> /modules/catalog_admin/manufacturers.php
Note 1 --> /modules/catalog_admin/modules.php
Note 1 --> /modules/catalog_admin/newsletters.php
Note 1 --> /modules/catalog_admin/orders.php
Note 1 --> /modules/catalog_admin/orders_status.php
Note 1 --> /modules/catalog_admin/orders1.php
Note 1 --> /modules/catalog_admin/packingslip.php
Note 1 --> /modules/catalog_admin/paypal_ipn.php
Note 2 --> /modules/catalog_admin/paypal_ipn_order.php
Note 7 --> /modules/catalog_admin/pdf_catalogue.php
Note 1 --> /modules/catalog_admin/popup_image.php
Note 1 --> /modules/catalog_admin/popup_image1.php
Note 1 --> /modules/catalog_admin/products_attributes.php
Note 1 --> /modules/catalog_admin/products_expected.php
Note 1 --> /modules/catalog_admin/quick_updates.php
Note 1 --> /modules/catalog_admin/reviews.php
Note 1 --> /modules/catalog_admin/server_info.php
Note 1 --> /modules/catalog_admin/specials.php
Note 1 --> /modules/catalog_admin/stats_customers.php
Note 1 --> /modules/catalog_admin/stats_products_purchased.php
Note 1 --> /modules/catalog_admin/stats_products_viewed.php
Note 1 --> /modules/catalog_admin/tax_classes.php
Note 1 --> /modules/catalog_admin/tax_rates.php
Note 1 --> /modules/catalog_admin/whos_online.php
Note 1 --> /modules/catalog_admin/zones.php
Note 2 --> /modules/catalog_admin/includes/application_bottom.php
Note 2 --> /modules/catalog_admin/includes/application_top.php
Note 2 --> /modules/catalog_admin/includes/application_top1.php
Note 2 --> /modules/catalog_admin/includes/application_top2.php
Note 2 --> /modules/catalog_admin/includes/application_top3.php
Note 2 --> /modules/catalog_admin/includes/column_left.php
Note 2 --> /modules/catalog_admin/includes/footer.php
Note 2 --> /modules/catalog_admin/includes/header.php
Note 2 --> /modules/catalog_admin/includes/boxes/catalog.php
Note 2 --> /modules/catalog_admin/includes/boxes/configuration.php
Note 2 --> /modules/catalog_admin/includes/boxes/customers.php
Note 2 --> /modules/catalog_admin/includes/boxes/localization.php
Note 2 --> /modules/catalog_admin/includes/boxes/modules.php
Note 2 --> /modules/catalog_admin/includes/boxes/reports.php
Note 2 --> /modules/catalog_admin/includes/boxes/taxes.php
Note 2 --> /modules/catalog_admin/includes/boxes/tools.php
Note 2 --> /modules/catalog_admin/includes/graphs/banner_daily.php
Note 2 --> /modules/catalog_admin/includes/graphs/banner_infobox.php
Note 2 --> /modules/catalog_admin/includes/graphs/banner_monthly.php
Note 2 --> /modules/catalog_admin/includes/graphs/banner_yearly.php
Note 1 --> /modules/Content/index.php
Note 1 --> /modules/Downloads/index.php
Note 1 --> /modules/Downloads/voteinclude.php
Note 1 --> /modules/Encyclopedia/index.php
Note 1 --> /modules/Encyclopedia/search.php
Note 1 --> /modules/FAQ/index.php
Note 1 --> /modules/Feedback/index.php
Note 1 --> /modules/Forums/faq.php
Note 1 --> /modules/Forums/groupcp.php
Note 1 --> /modules/Forums/index.php
Note 1 --> /modules/Forums/login.php
Note 1 --> /modules/Forums/modcp.php
Note 1 --> /modules/Forums/nukebb.php
Note 1 --> /modules/Forums/posting.php
Note 1 --> /modules/Forums/profile.php
Note 1 --> /modules/Forums/search.php
Note 1 --> /modules/Forums/update_to_205.php
Note 1 --> /modules/Forums/update_to_206.php
Note 1 --> /modules/Forums/update_to_207.php
Note 1 --> /modules/Forums/viewforum.php
Note 1 --> /modules/Forums/viewonline.php
Note 1 --> /modules/Forums/viewtopic.php
Note 1 --> /modules/Journal/add.php
Note 1 --> /modules/Journal/comment.php
Note 1 --> /modules/Journal/commentkill.php
Note 1 --> /modules/Journal/commentsave.php
Note 1 --> /modules/Journal/delete.php
Note 1 --> /modules/Journal/deleteyes.php
Note 1 --> /modules/Journal/display.php
Note 1 --> /modules/Journal/edit.php
Note 1 --> /modules/Journal/friend.php
Note 1 --> /modules/Journal/functions.php
Note 1 --> /modules/Journal/index.php
Note 1 --> /modules/Journal/modify.php
Note 1 --> /modules/Journal/savenew.php
Note 1 --> /modules/Journal/search.php
Note 1 --> /modules/Members_List/index.php
Note 1 --> /modules/News/article.php
Note 1 --> /modules/News/associates.php
Note 1 --> /modules/News/categories.php
Note 1 --> /modules/News/comments.php
Note 1 --> /modules/News/friend.php
Note 1 --> /modules/News/index.php
Note 1 --> /modules/News/print.php
Note 3 --> /modules/Private_Messages/index.php
Note 1 --> /modules/Recommend_Us/index.php
Note 1 --> /modules/Reviews/index.php
Note 1 --> /modules/Search/index.php
Note 1 --> /modules/Sections/index.php
Note 1 --> /modules/Statistics/index.php
Note 1 --> /modules/Stories_Archive/index.php
Note 1 --> /modules/Submit_News/index.php
Note 1 --> /modules/Surveys/comments.php
Note 1 --> /modules/Surveys/index.php
Note 1 --> /modules/Top/index.php
Note 1 --> /modules/Topics/index.php
Note 1 --> /modules/Web_Links/index.php
Note 1 --> /modules/Web_Links/voteinclude.php
Note 1 --> /modules/Your_Account/account.php
Note 1 --> /modules/Your_Account/account_edit.php
Note 1 --> /modules/Your_Account/account_history.php
Note 1 --> /modules/Your_Account/account_history_info.php
Note 1 --> /modules/Your_Account/account_newsletters.php
Note 1 --> /modules/Your_Account/account_notifications.php
Note 1 --> /modules/Your_Account/address_book.php
Note 1 --> /modules/Your_Account/address_book_process.php
Note 1 --> /modules/Your_Account/checkout_payment.php
Note 1 --> /modules/Your_Account/checkout_payment_address.php
Note 1 --> /modules/Your_Account/checkout_shipping.php
Note 1 --> /modules/Your_Account/checkout_shipping_address.php
Note 1 --> /modules/Your_Account/config.php
Note 1 --> /modules/Your_Account/index.php
Note 5 --> /modules/Your_Account/navbar.php
Note 5 --> /modules/Your_Account/navbar1.php
Note 1 --> /modules/Your_Account/shipping.php
Note 1 --> /modules/Your_Account/shopping_cart.php
Note 1: Vulnerability: Full path disclosure for servers not setup to check
the main directory when a file is not located in the current directory
otherwise the rest of the code is executed.
Note 2: Vulnerability: Full path disclosure. File has no security check.
Note 3: Vulnerability: Full path disclosure. Possibility of SQL injection,
if the database abstraction layer can be executed while accessing this
file.
Note 4: Vulnerability: Full path disclosure or the code can be made to
execute passing in proper variable values. File has no security check.
Note 5: Vulnerability: Full path disclosure.
Note 6: Rest of the code is executed. File has no security check.
Note 7: Vulnerability: Full path disclosure for servers not setup to check
the main directory when a file is not located in the current directory
otherwise the rest of the code is executed. File has no security check.
Credits -- Module Developers:
Admin FAQ / Authors / AvantGo / Backup / Banners / Blocks / Comments /
Content / Download / Encyclopedia / Ephemerids / Groups / Links / Messages
/ Modules / News / Newsletter / Polls / Recommend Us / Referers / Reviews
/ Search / Sections / Settings / Statistics / Stories / Stories Archive /
Submit News / Surveys / Top / Topics / Users / Web Links:
- Francisco Burzi (http://www.phpnuke.org)
- chatserv (http://www.nukefixes.com) (http://www.nukeresources.com)
Bookmarks / Journal / News / Tracking:
- Paul Laudanski and his team from Computer Cops
(http://www.computercops.biz)
and NukeCops (http://www.nukecops.com/) "Official" PhpNuke Developers
Admin FAQ:
- Richard Tirtadji AKA King Richard (http://www.nukeaddon.com)
- Hut*** Hermawan AKA hotFix (http://www.nukeaddon.com)
AvantGo:
- Tim Litwiller (http://linux.made-to-order.net)
Backup:
- Thomas Rudant (http://www.grunk.net) (http://www.securite-internet.org)
Bookmarks:
- David Moulton (http://www.themoultons.net)
Comments:
- Oleg [Dark Pastor] Martos (http://www.rolemancer.ru)
Forums / Members List / Private Messages (PHPBB2 forums code ported to
PHPNuke):
- The phpBB Group (http://www.phpbb.com)
- Tom Nitzschner (http://bbtonuke.sourceforge.net)
(http://www.toms-home.com)
- Paul Laudanski and his team from Computer Cops
(http://www.computercops.biz)
and NukeCops (http://www.nukecops.com/) "Official" PhpNuke Developers
- chatserv (http://www.nukefixes.com) (http://www.nukeresources.com)
Journal:
- Joseph Howard (Member's Journal)
- Trevor Scott (Atomic Journal)
Links:
- James Knickelbein (http://www.journeymilwaukee.com)
Optimize:
- Xavier JULIE (http://www.securite-internet.org)
- chatserv (http://www.nukefixes.com) (http://www.nukeresources.com)
osCommerce
- The osCommerce Development Group (http://www.oscommerce.com)
Resend Email:
- Gaylen Fraley (http://gaylenandmargie.com/phpwebsite)
Reviews:
- Jeff Lambert (http://www.qchc.com)
Statistics:
- Harry Mangindaan (http://www.nuketest.com)
- Sudirman (http://www.nuketest.com)
Tracking:
- WebStyle (http://www.wstyle.org)
Web Links:
- James Knickelbein (http://www.journeymilwaukee.com)
WebMail:
- Sivaprasad R.L (http://netlogger.net)
- Don Grabowski (http://ecomjunk.com)
- Akan Nkweini (http://www.p3mail.com)
- Leo West
Your Account:
- Francisco Burzi (http://www.phpnuke.org)
ADDITIONAL INFORMATION
The information has been provided by <mailto:squidsecurity@hushmail.com>
Squid.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] VocalTec VoIP Gateway (vtg120, vtg480) DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
