[UNIX] PHP-Nuke Inadequate Security Give Rise to a Variety of Attack Methods

From: SecuriTeam (support_at_securiteam.com)
Date: 06/09/04

  • Next message: SecuriTeam: "[UNIX] Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability"
    To: list@securiteam.com
    Date: 9 Jun 2004 19:51:46 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PHP-Nuke Inadequate Security Give Rise to a Variety of Attack Methods
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.phpnuke.org/> PHP-Nuke is a news automated system specially
    designed to be used in Intranets and Internet. The Administrator has total
    control of his web site, registered users, and he will have in the hand a
    powerful assembly of tools to maintain an active and 100% interactive web
    site using databases". Due to a problem in the security checker of
    PHP-Nuke, it is possible to fool it and perform different levels of
    attacks.

    DETAILS

    Vulnerable Systems:
     * PHP-Nuke version 7.3 and prior

    In an effort to secure files from being directly accessed by outside
    visitors, PHPNuke's core, module, and patch developers added a simple
    security checking mechanism. If the checker's condition is met, the script
    execution is aborted or execution is redirected elsewhere. What is
    actually done is a comparison between the currently executing script path
    (and filename), and the script name.

    This is done by capturing the contents of the $_SERVER['PHP_SELF'] global
    variable using PHP's built-in function eregi(). An example of such a check
    coded in a simple way might look roughly like:
    if (!eregi("admin.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }

    In this example, a file with the above snippet will continue execution if
    it was accessed by another file containing the letters "admin.php"
    (without quotes). Otherwise the script aborts returning the words "Access
    Denied".

    Using eregi() with the NOT logical operator as done by PHPNuke's
    developers is a very poor way to control file access because anyone can
    easily manipulate a URL and add the missing component thereby forcing the
    security check to always evaluate to false. An exploitation example is
    simply something like:
    http://www.domain.com/admin/case/case.adminfaq.php/admin.php op=FaqCatGo

    Mostly however, this issue will only allow full path disclosure. In some
    singular cases, execution might continue and give access to some
    restricted areas. Those who have setup their servers to look in the main
    directory when a file is not located in the current one may see a higher
    percentage of unwanted access and a lower percentage of full path
    disclosures than others.

    There are many affected files. Many can be found in the following list,
    along with the vulnerability description table which can be lookup up to
    see what exactly is the problem in a specific scripts:
    Vulnerability 1 --> /admin/case/case.adminfaq.php
    Vulnerability 1 --> /admin/case/case.authors.php
    Vulnerability 1 --> /admin/case/case.backup.php
    Vulnerability 1 --> /admin/case/case.banners.php
    Vulnerability 1 --> /admin/case/case.blocks.php
    Vulnerability 1 --> /admin/case/case.comments.php
    Vulnerability 1 --> /admin/case/case.content.php
    Vulnerability 1 --> /admin/case/case.download.php
    Vulnerability 1 --> /admin/case/case.encyclopedia.php
    Vulnerability 1 --> /admin/case/case.ephemerids.php
    Vulnerability 1 --> /admin/case/case.forums.php
    Vulnerability 1 --> /admin/case/case.groups.php
    Vulnerability 1 --> /admin/case/case.links.php
    Vulnerability 1 --> /admin/case/case.messages.php
    Vulnerability 1 --> /admin/case/case.modules.php
    Vulnerability 1 --> /admin/case/case.newsletter.php
    Vulnerability 1 --> /admin/case/case.optimize.php
    Vulnerability 1 --> /admin/case/case.polls.php
    Vulnerability 1 --> /admin/case/case.referers.php
    Vulnerability 1 --> /admin/case/case.reviews.php
    Vulnerability 1 --> /admin/case/case.sections.php
    Vulnerability 1 --> /admin/case/case.settings.php
    Vulnerability 1 --> /admin/case/case.stories.php
    Vulnerability 1 --> /admin/case/case.topics.php
    Vulnerability 1 --> /admin/case/case.users.php
    Vulnerability 2 --> /admin/links/links.addstory.php
    Vulnerability 2 --> /admin/links/links.backup.php
    Vulnerability 2 --> /admin/links/links.banners.php
    Vulnerability 2 --> /admin/links/links.blocks.php
    Vulnerability 2 --> /admin/links/links.content.php
    Vulnerability 2 --> /admin/links/links.download.php
    Vulnerability 2 --> /admin/links/links.editadmins.php
    Vulnerability 2 --> /admin/links/links.editusers.php
    Vulnerability 2 --> /admin/links/links.encyclopedia.php
    Vulnerability 2 --> /admin/links/links.ephemerids.php
    Vulnerability 2 --> /admin/links/links.faq.php
    Vulnerability 2 --> /admin/links/links.forums.php
    Vulnerability 2 --> /admin/links/links.groups.php
    Vulnerability 2 --> /admin/links/links.httpreferers.php
    Vulnerability 2 --> /admin/links/links.messages.php
    Vulnerability 2 --> /admin/links/links.modules.php
    Vulnerability 2 --> /admin/links/links.newsletter.php
    Vulnerability 2 --> /admin/links/links.optimize.php
    Vulnerability 2 --> /admin/links/links.reviews.php
    Vulnerability 2 --> /admin/links/links.sections.php
    Vulnerability 2 --> /admin/links/links.settings.php
    Vulnerability 2 --> /admin/links/links.submissions.php
    Vulnerability 2 --> /admin/links/links.surveys.php
    Vulnerability 2 --> /admin/links/links.topics.php
    Vulnerability 2 --> /admin/links/links.weblinks.php
    Vulnerability 3 --> /admin/modules/adminfaq.php
    Vulnerability 3 --> /admin/modules/authors.php
    Vulnerability 3 --> /admin/modules/backup.php
    Vulnerability 3 --> /admin/modules/banners.php
    Vulnerability 3 --> /admin/modules/blocks.php
    Vulnerability 3 --> /admin/modules/comments.php
    Vulnerability 3 --> /admin/modules/content.php
    Vulnerability 3 --> /admin/modules/download.php
    Vulnerability 3 --> /admin/modules/encyclopedia.php
    Vulnerability 3 --> /admin/modules/ephemerids.php
    Vulnerability 3 --> /admin/modules/forums.php
    Vulnerability 3 --> /admin/modules/groups.php
    Vulnerability 3 --> /admin/modules/links.php
    Vulnerability 3 --> /admin/modules/messages.php
    Vulnerability 3 --> /admin/modules/modules.php
    Vulnerability 3 --> /admin/modules/newsletter.php
    Vulnerability 3 --> /admin/modules/optimize.php
    Vulnerability 3 --> /admin/modules/polls.php
    Vulnerability 3 --> /admin/modules/referers.php
    Vulnerability 3 --> /admin/modules/reviews.php
    Vulnerability 3 --> /admin/modules/sections.php
    Vulnerability 3 --> /admin/modules/settings.php
    Vulnerability 3 --> /admin/modules/stories.php
    Vulnerability 3 --> /admin/modules/topics.php
    Vulnerability 3 --> /admin/modules/users.php
    Vulnerability 4 --> /db/db.php
    Vulnerability 1 --> /modules/AvantGo/index.php
    Vulnerability 1 --> /modules/AvantGo/print.php
    Vulnerability 1 --> /modules/Content/index.php
    Vulnerability 1 --> /modules/Downloads/index.php
    Vulnerability 5 --> /modules/Downloads/voteinclude.php
    Vulnerability 1 --> /modules/Encyclopedia/index.php
    Vulnerability 1 --> /modules/Encyclopedia/search.php
    Vulnerability 1 --> /modules/FAQ/index.php
    Vulnerability 1 --> /modules/Feedback/index.php
    Vulnerability 1 --> /modules/Forums/faq.php
    Vulnerability 1 --> /modules/Forums/groupcp.php
    Vulnerability 1 --> /modules/Forums/index.php
    Vulnerability 1 --> /modules/Forums/login.php
    Vulnerability 1 --> /modules/Forums/modcp.php
    Vulnerability 1 --> /modules/Forums/nukebb.php
    Vulnerability 1 --> /modules/Forums/posting.php
    Vulnerability 1 --> /modules/Forums/profile.php
    Vulnerability 1 --> /modules/Forums/search.php
    Vulnerability 1 --> /modules/Forums/update_to_205.php
    Vulnerability 1 --> /modules/Forums/update_to_206.php
    Vulnerability 1 --> /modules/Forums/update_to_207.php
    Vulnerability 1 --> /modules/Forums/viewforum.php
    Vulnerability 1 --> /modules/Forums/viewonline.php
    Vulnerability 1 --> /modules/Forums/viewtopic.php
    Vulnerability 1 --> /modules/Journal/add.php
    Vulnerability 1 --> /modules/Journal/comment.php
    Vulnerability 1 --> /modules/Journal/commentkill.php
    Vulnerability 1 --> /modules/Journal/commentsave.php
    Vulnerability 1 --> /modules/Journal/delete.php
    Vulnerability 1 --> /modules/Journal/deleteyes.php
    Vulnerability 1 --> /modules/Journal/display.php
    Vulnerability 1 --> /modules/Journal/edit.php
    Vulnerability 1 --> /modules/Journal/friend.php
    Vulnerability 1 --> /modules/Journal/functions.php
    Vulnerability 1 --> /modules/Journal/index.php
    Vulnerability 1 --> /modules/Journal/modify.php
    Vulnerability 1 --> /modules/Journal/savenew.php
    Vulnerability 1 --> /modules/Journal/search.php
    Vulnerability 1 --> /modules/Members_List/index.php
    Vulnerability 1 --> /modules/News/article.php
    Vulnerability 1 --> /modules/News/associates.php
    Vulnerability 1 --> /modules/News/categories.php
    Vulnerability 1 --> /modules/News/comments.php
    Vulnerability 1 --> /modules/News/friend.php
    Vulnerability 1 --> /modules/News/index.php
    Vulnerability 1 --> /modules/News/print.php
    Vulnerability 3 --> /modules/Private_Messages/index.php
    Vulnerability 1 --> /modules/Recommend_Us/index.php
    Vulnerability 1 --> /modules/Reviews/index.php
    Vulnerability 1 --> /modules/Search/index.php
    Vulnerability 1 --> /modules/Sections/index.php
    Vulnerability 1 --> /modules/Statistics/index.php
    Vulnerability 1 --> /modules/Stories_Archive/index.php
    Vulnerability 1 --> /modules/Submit_News/index.php
    Vulnerability 1 --> /modules/Surveys/comments.php
    Vulnerability 1 --> /modules/Surveys/index.php
    Vulnerability 1 --> /modules/Top/index.php
    Vulnerability 1 --> /modules/Topics/index.php
    Vulnerability 1 --> /modules/Web_Links/index.php
    Vulnerability 5 --> /modules/Web_Links/voteinclude.php
    Vulnerability 1 --> /modules/Your_Account/index.php
    Vulnerability 1 --> /modules/Your_Account/navbar.php

    ** Some of PHPNuke's earlier versions contain the WebMail module that is
    also affected by this security weakness.

    Vulnerability 1: Vulnerability: Full path disclosure for servers not setup
    to check the main directory when a file is not located in the current
    directory otherwise the rest of the code is executed.

    Vulnerability 2: Vulnerability: Full path disclosure. File has no security
    check.

    Vulnerability 3: Vulnerability: Full path disclosure. Possibility of SQL
    injection if the database abstraction layer can be executed while
    accessing this file.

    Vulnerability 4: Vulnerability: Full path disclosure or the code can be
    made to execute passing in proper variable values. File has no security
    check.

    Vulnerability 5: Vulnerability: Full path disclosure for servers not setup
    to check the main directory when a file is not located in the current
    directory otherwise the rest of the code is executed. File has no security
    check.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:squidsecurity@hushmail.com>
    Squid.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability"

    Relevant Pages

    • [UNIX] Multiple Vulnerabilities in Ez Publish
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... been found in the product, Sensitive information disclosure, Cross Site ... Scripting, and Path Disclosure. ... A security vulnerability was found in Ez publish which allows a remote ...
      (Securiteam)
    • [Squid 2004-OSC2Nuke-001] Inadequate Security Checking in OSC2Nuke
      ... developers added a simple security checking mechanism. ... The process consists of capturing the currently executing script's path and ... Note 2: Vulnerability: Full path disclosure. ...
      (Bugtraq)
    • SecurityFocus Microsoft Newsletter #174
      ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #165
      ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
      (Focus-Microsoft)
    • [NT] Cumulative Security Update for Internet Explorer (MS04-038)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
      (Securiteam)