[UNIX] PHP-Nuke Inadequate Security Give Rise to a Variety of Attack Methods
From: SecuriTeam (support_at_securiteam.com)
Date: 06/09/04
- Previous message: SecuriTeam: "[NT] Cross Application Scripting in Trend Micro's Antivirus Software (Subject Line)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 9 Jun 2004 19:51:46 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PHP-Nuke Inadequate Security Give Rise to a Variety of Attack Methods
------------------------------------------------------------------------
SUMMARY
" <http://www.phpnuke.org/> PHP-Nuke is a news automated system specially
designed to be used in Intranets and Internet. The Administrator has total
control of his web site, registered users, and he will have in the hand a
powerful assembly of tools to maintain an active and 100% interactive web
site using databases". Due to a problem in the security checker of
PHP-Nuke, it is possible to fool it and perform different levels of
attacks.
DETAILS
Vulnerable Systems:
* PHP-Nuke version 7.3 and prior
In an effort to secure files from being directly accessed by outside
visitors, PHPNuke's core, module, and patch developers added a simple
security checking mechanism. If the checker's condition is met, the script
execution is aborted or execution is redirected elsewhere. What is
actually done is a comparison between the currently executing script path
(and filename), and the script name.
This is done by capturing the contents of the $_SERVER['PHP_SELF'] global
variable using PHP's built-in function eregi(). An example of such a check
coded in a simple way might look roughly like:
if (!eregi("admin.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }
In this example, a file with the above snippet will continue execution if
it was accessed by another file containing the letters "admin.php"
(without quotes). Otherwise the script aborts returning the words "Access
Denied".
Using eregi() with the NOT logical operator as done by PHPNuke's
developers is a very poor way to control file access because anyone can
easily manipulate a URL and add the missing component thereby forcing the
security check to always evaluate to false. An exploitation example is
simply something like:
http://www.domain.com/admin/case/case.adminfaq.php/admin.php op=FaqCatGo
Mostly however, this issue will only allow full path disclosure. In some
singular cases, execution might continue and give access to some
restricted areas. Those who have setup their servers to look in the main
directory when a file is not located in the current one may see a higher
percentage of unwanted access and a lower percentage of full path
disclosures than others.
There are many affected files. Many can be found in the following list,
along with the vulnerability description table which can be lookup up to
see what exactly is the problem in a specific scripts:
Vulnerability 1 --> /admin/case/case.adminfaq.php
Vulnerability 1 --> /admin/case/case.authors.php
Vulnerability 1 --> /admin/case/case.backup.php
Vulnerability 1 --> /admin/case/case.banners.php
Vulnerability 1 --> /admin/case/case.blocks.php
Vulnerability 1 --> /admin/case/case.comments.php
Vulnerability 1 --> /admin/case/case.content.php
Vulnerability 1 --> /admin/case/case.download.php
Vulnerability 1 --> /admin/case/case.encyclopedia.php
Vulnerability 1 --> /admin/case/case.ephemerids.php
Vulnerability 1 --> /admin/case/case.forums.php
Vulnerability 1 --> /admin/case/case.groups.php
Vulnerability 1 --> /admin/case/case.links.php
Vulnerability 1 --> /admin/case/case.messages.php
Vulnerability 1 --> /admin/case/case.modules.php
Vulnerability 1 --> /admin/case/case.newsletter.php
Vulnerability 1 --> /admin/case/case.optimize.php
Vulnerability 1 --> /admin/case/case.polls.php
Vulnerability 1 --> /admin/case/case.referers.php
Vulnerability 1 --> /admin/case/case.reviews.php
Vulnerability 1 --> /admin/case/case.sections.php
Vulnerability 1 --> /admin/case/case.settings.php
Vulnerability 1 --> /admin/case/case.stories.php
Vulnerability 1 --> /admin/case/case.topics.php
Vulnerability 1 --> /admin/case/case.users.php
Vulnerability 2 --> /admin/links/links.addstory.php
Vulnerability 2 --> /admin/links/links.backup.php
Vulnerability 2 --> /admin/links/links.banners.php
Vulnerability 2 --> /admin/links/links.blocks.php
Vulnerability 2 --> /admin/links/links.content.php
Vulnerability 2 --> /admin/links/links.download.php
Vulnerability 2 --> /admin/links/links.editadmins.php
Vulnerability 2 --> /admin/links/links.editusers.php
Vulnerability 2 --> /admin/links/links.encyclopedia.php
Vulnerability 2 --> /admin/links/links.ephemerids.php
Vulnerability 2 --> /admin/links/links.faq.php
Vulnerability 2 --> /admin/links/links.forums.php
Vulnerability 2 --> /admin/links/links.groups.php
Vulnerability 2 --> /admin/links/links.httpreferers.php
Vulnerability 2 --> /admin/links/links.messages.php
Vulnerability 2 --> /admin/links/links.modules.php
Vulnerability 2 --> /admin/links/links.newsletter.php
Vulnerability 2 --> /admin/links/links.optimize.php
Vulnerability 2 --> /admin/links/links.reviews.php
Vulnerability 2 --> /admin/links/links.sections.php
Vulnerability 2 --> /admin/links/links.settings.php
Vulnerability 2 --> /admin/links/links.submissions.php
Vulnerability 2 --> /admin/links/links.surveys.php
Vulnerability 2 --> /admin/links/links.topics.php
Vulnerability 2 --> /admin/links/links.weblinks.php
Vulnerability 3 --> /admin/modules/adminfaq.php
Vulnerability 3 --> /admin/modules/authors.php
Vulnerability 3 --> /admin/modules/backup.php
Vulnerability 3 --> /admin/modules/banners.php
Vulnerability 3 --> /admin/modules/blocks.php
Vulnerability 3 --> /admin/modules/comments.php
Vulnerability 3 --> /admin/modules/content.php
Vulnerability 3 --> /admin/modules/download.php
Vulnerability 3 --> /admin/modules/encyclopedia.php
Vulnerability 3 --> /admin/modules/ephemerids.php
Vulnerability 3 --> /admin/modules/forums.php
Vulnerability 3 --> /admin/modules/groups.php
Vulnerability 3 --> /admin/modules/links.php
Vulnerability 3 --> /admin/modules/messages.php
Vulnerability 3 --> /admin/modules/modules.php
Vulnerability 3 --> /admin/modules/newsletter.php
Vulnerability 3 --> /admin/modules/optimize.php
Vulnerability 3 --> /admin/modules/polls.php
Vulnerability 3 --> /admin/modules/referers.php
Vulnerability 3 --> /admin/modules/reviews.php
Vulnerability 3 --> /admin/modules/sections.php
Vulnerability 3 --> /admin/modules/settings.php
Vulnerability 3 --> /admin/modules/stories.php
Vulnerability 3 --> /admin/modules/topics.php
Vulnerability 3 --> /admin/modules/users.php
Vulnerability 4 --> /db/db.php
Vulnerability 1 --> /modules/AvantGo/index.php
Vulnerability 1 --> /modules/AvantGo/print.php
Vulnerability 1 --> /modules/Content/index.php
Vulnerability 1 --> /modules/Downloads/index.php
Vulnerability 5 --> /modules/Downloads/voteinclude.php
Vulnerability 1 --> /modules/Encyclopedia/index.php
Vulnerability 1 --> /modules/Encyclopedia/search.php
Vulnerability 1 --> /modules/FAQ/index.php
Vulnerability 1 --> /modules/Feedback/index.php
Vulnerability 1 --> /modules/Forums/faq.php
Vulnerability 1 --> /modules/Forums/groupcp.php
Vulnerability 1 --> /modules/Forums/index.php
Vulnerability 1 --> /modules/Forums/login.php
Vulnerability 1 --> /modules/Forums/modcp.php
Vulnerability 1 --> /modules/Forums/nukebb.php
Vulnerability 1 --> /modules/Forums/posting.php
Vulnerability 1 --> /modules/Forums/profile.php
Vulnerability 1 --> /modules/Forums/search.php
Vulnerability 1 --> /modules/Forums/update_to_205.php
Vulnerability 1 --> /modules/Forums/update_to_206.php
Vulnerability 1 --> /modules/Forums/update_to_207.php
Vulnerability 1 --> /modules/Forums/viewforum.php
Vulnerability 1 --> /modules/Forums/viewonline.php
Vulnerability 1 --> /modules/Forums/viewtopic.php
Vulnerability 1 --> /modules/Journal/add.php
Vulnerability 1 --> /modules/Journal/comment.php
Vulnerability 1 --> /modules/Journal/commentkill.php
Vulnerability 1 --> /modules/Journal/commentsave.php
Vulnerability 1 --> /modules/Journal/delete.php
Vulnerability 1 --> /modules/Journal/deleteyes.php
Vulnerability 1 --> /modules/Journal/display.php
Vulnerability 1 --> /modules/Journal/edit.php
Vulnerability 1 --> /modules/Journal/friend.php
Vulnerability 1 --> /modules/Journal/functions.php
Vulnerability 1 --> /modules/Journal/index.php
Vulnerability 1 --> /modules/Journal/modify.php
Vulnerability 1 --> /modules/Journal/savenew.php
Vulnerability 1 --> /modules/Journal/search.php
Vulnerability 1 --> /modules/Members_List/index.php
Vulnerability 1 --> /modules/News/article.php
Vulnerability 1 --> /modules/News/associates.php
Vulnerability 1 --> /modules/News/categories.php
Vulnerability 1 --> /modules/News/comments.php
Vulnerability 1 --> /modules/News/friend.php
Vulnerability 1 --> /modules/News/index.php
Vulnerability 1 --> /modules/News/print.php
Vulnerability 3 --> /modules/Private_Messages/index.php
Vulnerability 1 --> /modules/Recommend_Us/index.php
Vulnerability 1 --> /modules/Reviews/index.php
Vulnerability 1 --> /modules/Search/index.php
Vulnerability 1 --> /modules/Sections/index.php
Vulnerability 1 --> /modules/Statistics/index.php
Vulnerability 1 --> /modules/Stories_Archive/index.php
Vulnerability 1 --> /modules/Submit_News/index.php
Vulnerability 1 --> /modules/Surveys/comments.php
Vulnerability 1 --> /modules/Surveys/index.php
Vulnerability 1 --> /modules/Top/index.php
Vulnerability 1 --> /modules/Topics/index.php
Vulnerability 1 --> /modules/Web_Links/index.php
Vulnerability 5 --> /modules/Web_Links/voteinclude.php
Vulnerability 1 --> /modules/Your_Account/index.php
Vulnerability 1 --> /modules/Your_Account/navbar.php
** Some of PHPNuke's earlier versions contain the WebMail module that is
also affected by this security weakness.
Vulnerability 1: Vulnerability: Full path disclosure for servers not setup
to check the main directory when a file is not located in the current
directory otherwise the rest of the code is executed.
Vulnerability 2: Vulnerability: Full path disclosure. File has no security
check.
Vulnerability 3: Vulnerability: Full path disclosure. Possibility of SQL
injection if the database abstraction layer can be executed while
accessing this file.
Vulnerability 4: Vulnerability: Full path disclosure or the code can be
made to execute passing in proper variable values. File has no security
check.
Vulnerability 5: Vulnerability: Full path disclosure for servers not setup
to check the main directory when a file is not located in the current
directory otherwise the rest of the code is executed. File has no security
check.
ADDITIONAL INFORMATION
The information has been provided by <mailto:squidsecurity@hushmail.com>
Squid.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Cross Application Scripting in Trend Micro's Antivirus Software (Subject Line)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
