Phpnuke module.php vulnerability and php error_reporting issue

From: Cabezon Aurélien (aurelien.cabezon@isecurelabs.com)
Date: 12/16/01


From: Cabezon Aurélien <aurelien.cabezon@isecurelabs.com>
To: <bugtraq@securityfocus.com>
Date: Sun, 16 Dec 2001 02:05:45 +0100


[ Phpnuke module.php vulnerability and PHP error_reporting issue ]
on 16 december by Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com

As you know, there are many Cross site scripting issue on Phpnuke modules
and other web application using PHP.

There is a cross site scripting issue cause :
[1] there is a lack to checks from user input in module.php
[2] PHP does not have a good deal with error reporting

I found my website vulnerable to an other cross site scripting
vulnerability, i thougt the problem was in XForum (forum
module for phpnuke)
He was also, but it was too on the way that PHP report errors and deals with
error messages.

---Vulnerable line in module.php---
include("modules/$name/$file.php");
---Vulnerable line in module.php---

Exploit :
http://host.com/modules.php?op=modload&name=XForum&file=[hostile
javascript]&fid=2

Hostile javascript could be : {script}alert(document.cookie);{/script} that
display your cookie.
replace {} by <>

This crafted url cause the module.php script to make an PHP error reporting
like this:

---php error report---
Warning: Failed opening 'modules/XForum/.php' for inclusion
(include_path='') in /home/foo/htdocs/modules.php on line 27
---php error report---

When your browser display the error reporting, it parses the hotile
javascript too...
I found an easy and fast way to fix this problem and other cross site
scripting issue regarding module.php and other web application using PHP :
Just turn off PHP error reporting and wait for a fix from PHP devel team :)
The error_reporting function should check for bad inputs.

Temp fix for phpnuke module.php:

---start of module.php---
error_reporting(0); //Add this line, Just turn off error_reporting

//original file

switch($op) {

    case "modload":/
 if (!isset($mainfile)) { include("mainfile.php"); }
 if (ereg("\.\.",$name) || ereg("\.\.",$file)) {
     echo "You are so cool";
     break;
 } else {
     include("modules/$name/$file.php");
 }
 break;

    default:
 die ("Sorry, you can't access this file directly...");
 break;

}

---end of module.php---

regards,

---
Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com
http://www.iSecureLabs.com | French Security Portal



Relevant Pages

  • Re: Phpnuke module.php vulnerability and php error_reporting issue
    ... This is a known vulnerability for quite some time now. ... there are many Cross site scripting issue on Phpnuke modules ... > and other web application using PHP. ... > This crafted url cause the module.php script to make an PHP error reporting ...
    (Bugtraq)
  • RE: [PHP] Preventing SQL Injection/ Cross Site Scripting
    ... [PHP] Preventing SQL Injection/ Cross Site Scripting ... you can look into PHP 5.2 which added some filter ...
    (php.general)
  • Re: Information about notices
    ... "Eamon Reyn" wrote in message ... > PHP, JavaScript MySQL, Apache, REST and a couple of other technologies. ... > of this info if someone knows some good web links about this sort of stuff ... I keep error reporting set to E_ALL while developing and shut ...
    (alt.php)
  • [waraxe-2004-SA#016 - Cross-Site Scripting aka XSS in phpnuke 6.x-7.2 part 3]
    ... Php-Nuke is popular freeware content management system, ... Here I am, on the road again, discussing about potential XSS case in phpnuke. ... exploded to array $cookie. ... unset -- Unset a given variable ...
    (Bugtraq)
  • Re: error reporting
    ... That depends on what you mean by turning off error reporting. ... display_errors to 0 means simply that PHP won't display error message. ...
    (comp.lang.php)