Multiples Full Path Disclosure in php-nuke 7.6 (and below)

• Previous message: Mandriva Security Team: "MDKSA-2005:080 - Updated libxpm4 packages fix libXpm vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 29 Apr 2005 10:15:44 -0300
To: bugtraq@securityfocus.com

Multiples Full Path Disclosure in php-nuke 7.6 (and below)
---------------------------------------------------------------------------

Author: project-restart
Date: 27. April 2005
Location: Brazil
Web: http://www.project-restart.org/
Target: PHP-nuke 7.6 (and below)

---------------------------------------------------------------------------
Target software description:
Php-Nuke is a popular opensource content management system, written in php by
Francisco Burzi. This CMS is used on many thousands websites, because it's
freeware(7.7 no ¬¬), easy to install and manage and has broad set of features.

Homepage: http://phpnuke.org
---------------------------------------------------------------------------

Vulnerabilities founds by luis <luis@project-restart.org>

########################### Vuln1

File: includes/ipban.php
(http://localhost/nuke76/includes/ipban.php)

-----------/includes/ipban.php--------------
15: global $prefix, $db;
16: $ip = $_SERVER["REMOTE_ADDR"];
17: $numrow = $db->sql_numrows($db->sql_query("SELECT id FROM
".$prefix."_banned_ip
                                                          WHERE
ip_address='$ip'"));
18: if ($numrow != 0) {
19: echo "<br><br><center><img src='images\admin\ipban.gif'><br><br><b>You has
                                           been banned by the
administrator</b></center>";
20: die();
21: }
--------------------------------------------

Result:
Fatal error: Call to a member function on a non-object in
 /home/localhost/public_html/nuke76/includes/ipban.php on line 17

########################### Vuln2

File: db/db.php
(http://localhost/nuke76/db/db.php)

--------/db/db.php------------
49:switch($dbtype) {
50: case 'MySQL':
51: include("".$the_include."/mysql.php");#
52: break;
(...)
85: $db = new sql_db($dbhost, $dbuname, $dbpass, $dbname, false);
86: if(!$db->db_connect_id) {#
87: die("<br><br><center><img src=images/logo.gif><br><br><b>There
seems to be a problem with the MySQL server, sorry for the
inconvenience.<br><br>We should be back shortly.</center></b>");
88: }
-----------------------------

Result:
Fatal error: Cannot instantiate non-existent class: sql_db in
/home/localhost/public_html/nuke76/db/db.php on line 86

########################### Vuln3
File: /modules/Reviews/language/lang-norwegian.php
(http://localhost/nuke76/modules.php?name=Reviews&newlang=norwegian)

--------/modules/Reviews/language/lang-norwegian.php--------------
52: define("_INVALIDTEXT","Feil i anmeldelsestekst... Feltet kan ikke
være tomt\");
53: define("_INVALIDHITS","Treff må være en positiv integer");
-----------------------------------------------------------------

Result:
Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Reviews/language/lang-norwegian.php
on line 53

########################## Vuln4
File: /modules/Downloads/language/lang-greek.php
(http://localhost/nuke76/modules.php?name=Downloads&newlang=greek)

-------/modules/Downloads/language/lang-greek.php-----------
176: A-# define("_FILESIZE","ÌÝãåèïò áñ÷åßïõ");
177: A-# define("_VERSION","¸êäïóç");
178: K-# define("_UDOWNLOADS","ÁíáêôÞóåÃ(c)ò");
179: A-# define("_HOMEPAGE","ÊåíôñÃ(c)êÞ Ã"åëßäá ");
------------------------------------------------------------

This is a commentary?!
Result:
Parse error: parse error, unexpected ';' in
/home/localhost/public_html/nuke76/modules/Downloads/language/lang-greek.php
on line 181

######################### Vuln 5
File: /modules/Downloads/language/lang-indonesian.php
(http://localhost/nuke76/modules.php?name=Downloads&newlang=indonesian)

------/modules/Downloads/language/lang-indonesian.php----
59: define("_DOWNLOADSNOTUSER8","<a
href=\"modules.php?name=Your_Account&">Daftar di sini</a>");
60: define("_DOWNLOADALREADYEXT","ERROR: Alamat URL sudah ada dalam database!");
---------------------------------------------------------

Resultando em:
Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Downloads/language/lang-indonesian.php
on line 59

---------------------------------------------------------------------------
(more)

Vulnerabilities founds by guilherme <guilherme@project-restart.org>

########################### Vuln6

File: /modules/Web_Links/language/lang-portuguese.php

If called the module Web_Links with portuguese language,
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Web_Links&newlang=portuguese)

Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Web_Links/language/lang-portuguese.php
on line 171

---------/modules/Web_Links/language/lang-portuguese.php----------------

169: define("_REMOTEFORM","Forma de Avaliação a Distância");
170: define("_PROMOTE04","Se você nos enganar, nós removeremos seu
link. Temos dito
     isto, aqui como uma forma de avaliação remota e
171: define("_VOTE4THISSITE","Vote neste Site!");
172: define("_LINKVOTE","Vote!");
----------------------------

########################### Vuln7

File: /modules/Web_Links/language/lang-indonesian.php

If called the module Web_Links with indonesian language,
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Web_Links&newlang=indonesian)

Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Web_Links/language/lang-indonesian.php
on line 170

---------/modules/Web_Links/language/lang-indonesian.php----------------

169: define("_LOOKTOREQUEST","Kami akan memeriksa laporan anda.");
170: define("_ONLYREGUSERSMODIFY","Hanya member yang bisa meminta modifikasi
      link. Silakan daftar atau login <a
href=\"/modules.php?name=Your_Account&">di sini</a>.");
171: define("_REQUESTLINKMOD","Permohonan Modifikasi Link Situs");
------------------------

########################### Vuln8

File: /modules/Surveys/language/lang-indonesian.php

If called the module Surveys with indonesian language,
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Surveys&newlang=indonesian)

Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Surveys/language/lang-indonesian.php
on line 40

---------/modules/Surveys/language/lang-indonesian.php----------------
39: define("_NOSUBJECT","Tanpa Subjek");
40: define("_NOANONCOMMENTS","Anda tidak dibolehkan mengirim komentar,
    silakan daftar <a href=\"modules.php?name=Your_Account&">di sini</a>");
41: define("_PARENT","Setingkat ke atas");
------------------------------

########################### Vuln9

File: /modules/Reviews/language/lang-portuguese.php

If called the module Reviews with portuguese language,
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Reviews&newlang=portuguese)

Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Reviews/language/lang-portuguese.php
on line 89

---------/modules/Reviews/language/lang-portuguese.php----------------
88: define("_YOURNICK","O seu nome:");
89: define("_RCREATEACCOUNT","<a
href="modules.php?name=Your_Account&op=new_user\"><b>Crie</b></a> uma
conta");
87: define("_YOURCOMMENT","O seu comentário:");
-----------

########################### Vuln10

File: /modules/Journal/language/lang-portuguese.php

If called the module Journal with portuguese language,
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Journal&newlang=portuguese)

Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Journal/language/lang-portuguese.php
on line 31

---------/modules/Journal/language/lang-portuguese.php----------------
29: define("_ADDJOURNAL","Adicionar uma entrada no diário");
30: define("_ADDENTRY","Adicionar uma nova entrada);
31: define("_YOURLAST20","As suas 20 entradas");
-----------------------

---------------------------------------------------------------------------
How to fix:
http://www.project-restart.org

---------------------------------------------------------------------------

TimeLine:
25/04/2005 - php-nuke install into our server (downloaded default 7.6
from phpnuke.org)
26/04/2005 - Luis found the firsts vulns and begin find more
27/04/2005 - Guilherme found many vulns into language files
28/04/2005 - Luis see all language files and found more vulns
29/04/2005 - report sent and vendor contacted

Contact:
---------------------------------------------------------------------------

Luis (22) - luis@project-restart.org
Guilherme (GBR) - guilherme@project-restart.org
Rodrigo (digão) - rodrigo@project-restart.org

Homepage: http://www.project-restart.org/

That God mercy our soul!

(Ps. Sorry our bad english, we are Brazilians boys, =D)

• Previous message: Mandriva Security Team: "MDKSA-2005:080 - Updated libxpm4 packages fix libXpm vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]