Phpnuke module.php vulnerability and php error_reporting issue

From: Cabezon Aurélien (aurelien.cabezon@isecurelabs.com)
Date: 12/16/01


From: Cabezon Aurélien <aurelien.cabezon@isecurelabs.com>
To: <bugtraq@securityfocus.com>
Date: Sun, 16 Dec 2001 02:05:45 +0100


[ Phpnuke module.php vulnerability and PHP error_reporting issue ]
on 16 december by Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com

As you know, there are many Cross site scripting issue on Phpnuke modules
and other web application using PHP.

There is a cross site scripting issue cause :
[1] there is a lack to checks from user input in module.php
[2] PHP does not have a good deal with error reporting

I found my website vulnerable to an other cross site scripting
vulnerability, i thougt the problem was in XForum (forum
module for phpnuke)
He was also, but it was too on the way that PHP report errors and deals with
error messages.

---Vulnerable line in module.php---
include("modules/$name/$file.php");
---Vulnerable line in module.php---

Exploit :
http://host.com/modules.php?op=modload&name=XForum&file=[hostile
javascript]&fid=2

Hostile javascript could be : {script}alert(document.cookie);{/script} that
display your cookie.
replace {} by <>

This crafted url cause the module.php script to make an PHP error reporting
like this:

---php error report---
Warning: Failed opening 'modules/XForum/.php' for inclusion
(include_path='') in /home/foo/htdocs/modules.php on line 27
---php error report---

When your browser display the error reporting, it parses the hotile
javascript too...
I found an easy and fast way to fix this problem and other cross site
scripting issue regarding module.php and other web application using PHP :
Just turn off PHP error reporting and wait for a fix from PHP devel team :)
The error_reporting function should check for bad inputs.

Temp fix for phpnuke module.php:

---start of module.php---
error_reporting(0); //Add this line, Just turn off error_reporting

//original file

switch($op) {

    case "modload":/
 if (!isset($mainfile)) { include("mainfile.php"); }
 if (ereg("\.\.",$name) || ereg("\.\.",$file)) {
     echo "You are so cool";
     break;
 } else {
     include("modules/$name/$file.php");
 }
 break;

    default:
 die ("Sorry, you can't access this file directly...");
 break;

}

---end of module.php---

regards,

---
Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com
http://www.iSecureLabs.com | French Security Portal