Phpnuke module.php vulnerability and php error_reporting issue

From: Cabezon Aurélien (
Date: 12/16/01

From: Cabezon Aurélien <>
To: <>
Date: Sun, 16 Dec 2001 02:05:45 +0100

[ Phpnuke module.php vulnerability and PHP error_reporting issue ]
on 16 december by Cabezon Aurélien |

As you know, there are many Cross site scripting issue on Phpnuke modules
and other web application using PHP.

There is a cross site scripting issue cause :
[1] there is a lack to checks from user input in module.php
[2] PHP does not have a good deal with error reporting

I found my website vulnerable to an other cross site scripting
vulnerability, i thougt the problem was in XForum (forum
module for phpnuke)
He was also, but it was too on the way that PHP report errors and deals with
error messages.

---Vulnerable line in module.php---
---Vulnerable line in module.php---

Exploit :[hostile

Hostile javascript could be : {script}alert(document.cookie);{/script} that
display your cookie.
replace {} by <>

This crafted url cause the module.php script to make an PHP error reporting
like this:

---php error report---
Warning: Failed opening 'modules/XForum/.php' for inclusion
(include_path='') in /home/foo/htdocs/modules.php on line 27
---php error report---

When your browser display the error reporting, it parses the hotile
javascript too...
I found an easy and fast way to fix this problem and other cross site
scripting issue regarding module.php and other web application using PHP :
Just turn off PHP error reporting and wait for a fix from PHP devel team :)
The error_reporting function should check for bad inputs.

Temp fix for phpnuke module.php:

---start of module.php---
error_reporting(0); //Add this line, Just turn off error_reporting

//original file

switch($op) {

    case "modload":/
 if (!isset($mainfile)) { include("mainfile.php"); }
 if (ereg("\.\.",$name) || ereg("\.\.",$file)) {
     echo "You are so cool";
 } else {

 die ("Sorry, you can't access this file directly...");


---end of module.php---


Cabezon Aurélien | | French Security Portal