[VulnWatch] PHP-Nuke code execution and XSS vulnerabilities

From: Ulf Harnhammar (ulfh@update.uu.se)
Date: 12/16/02

  • Next message: NGSSoftware Insight Security Research: "[VulnWatch] zkfingerd 0.9.1 format string vulnerabilities (#NISR16122002A)"
    Date: Mon, 16 Dec 2002 16:36:02 +0100 (CET)
    From: Ulf Harnhammar <ulfh@update.uu.se>
    To: bugtraq@securityfocus.com

    PHP-Nuke code execution and XSS vulnerabilities

    VENDOR: Fransisco Burzi et al.
    HOMEPAGE: http://phpnuke.org/
    VULNERABLE VERSIONS: 6.0 (the only supported version)
    IMMUNE VERSIONS: 6.0 with my patch applied


    "PHP-Nuke is a Web portal and online community system which
    includes Web-based administration, surveys, access statistics,
    user customizable boxes, a themes manager for registered users,
    friendly administration GUI with graphic topic manager, the
    ability to edit or delete stories, an option to delete comments,
    a moderation system, referer tracking, integrated banner ad system,
    search engine, backend/headlines generation (RSS/RDF format), Web
    directory like Yahoo, events manager, and support for 20+ languages."

    (direct quote from the program's project page at Freshmeat)

    PHP-Nuke is published under the terms of the GNU General Public
    License. It is a very popular program with lots and lots of
    installations. It is included as one of the packages in Debian
    GNU/Linux and one of FreeBSD's ports.

    Despite all this, the program has a bad reputation regarding
    security matters.


    PHP-Nuke has a module that implements a web mail system. When a
    user reads an e-mail message with an attached file, the file in
    question is stored in a web accessible directory under its normal
    file name. Files with active web content, such as CGI or PHP scripts,
    are handled the same way.

    The module also has a cross-site scripting hole. Either problem
    is serious in its own right, but when we combine them, we end up
    with something very serious: an e-mail message that automatically
    executes an attached PHP script when someone opens it!


    As stated above, PHP-Nuke has got a web mail system, and it stores
    attachments under their real file names in a directory where anyone
    can surf to them.

    There is nothing in the code that stops active content, such as
    PHP scripts, from being stored in that directory. There is also no
    warning against this in the program's documentation. As a result, any
    attacker can execute any PHP script on the web server. The attacker
    first sends the script as an attachment to any user who will read
    that message in PHP-Nuke's web mail system. The attacker then waits
    for the user to open the message, and finally the attacker just
    surfs to a predictable WWW location. The user doesn't even have to
    open the attachment, just the mail that it comes in.

    As a bonus, the web mail system also has a Cross-Site Scripting
    vulnerability. It doesn't remove <script> tags in HTML based e-mail

    When we combine the two vulnerabilities, we find that it is possible
    to construct an e-mail message that will automatically execute an
    attached PHP script when an unsuspecting user opens that message!

    This is very bad, as PHP scripts can access files, databases and
    network resources. They can for instance store a C program in some
    temporary location, compile it and execute it.

    To make things even worse, the availability of anonymous remailers
    and the fact that the PHP script will be accessed from the victim's
    IP number and not the attacker's makes the attacker pretty anonymous.


    I didn't contact the vendor, as Fransisco has a very bad track
    record when it comes to replying to security reports.


    Instead I wrote an unofficial patch for this issue. I have patched
    against version 6.0.

    The patch stops this particular cross-site scripting problem by
    calling the filter_text() function. As Matthew Murphy has shown
    us earlier, this function is not particularly secure, so there are
    other XSS problems that may be exploited.

    The patch also stops PHP-Nuke from storing active web content, with
    a long regular expression that only stores explicitly allowed types
    of data. If your users receive weird types of data, you may have
    to change the regex slightly. It also stops "../../../" traversal
    attacks using the attachments' file names.

    The patch doesn't address the issue of attached Word documents or
    other files being available for anyone to download, if they know
    the URL.


    I have also attached an exploit for this issue, which changes all
    administrator passwords on the PHP-Nuke system to "ulf". The attacker
    simply sends an HTML mail with the contents of my xss.html file as
    the *mail body* and my adminexploit.php file as an attachment. As
    soon as the victim opens the mail, the script is executed.

    // Ulf Harnhammar
       VSU Security

    "I saw the worst minds of my generation / getting their political
     information from tabloids / listening to Savage Garden's greatest
     hits / getting married and having kids at 25 just 'cause the
     neighbours did / and building the worst administrative web-based
     members interface ever known to man" (To B.)