Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
FlatNuke Referer Input Validation Hole Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1014114
|
|
SecurityTracker URL: http://securitytracker.com/id?1014114
|
|
CVE Reference: CAN-2005-1892
, CAN-2005-1893
, CAN-2005-1894
, CAN-2005-1895
, CAN-2005-1896
(Links to External Site)
|
Updated: Jun 9 2005
|
Original Entry Date: Jun 6 2005
|
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2.5.3; possibly earlier versions
|
Description: SecWatch reported several vulnerabilities in FlatNuke. A remote user can execute arbitrary commands on the target system. A remote user can determine the installation path and conduct cross-site scripting attacks.
A remote user can directly access the '/flatnuke/foot_news.php' script to cause the application to enter an infinite loop, consuming
all available CPU resources.
A remote user can submit a request with a specially crafted HTTP Referer field that contains PHP
code then invoke 'flatnuke/misc/flatstat/referer.php' to cause the PHP code to be executed on the target system. The code, including
operating system commands, will run with the privileges of the target web service. Some demonstration exploit code is available
at:
http://secwatch.org/exploits/2005/06/flatnuke_shell.php.info
The '/forum/help.php' and '/forum/footer.php' scripts do
not properly validate user-supplied input in the 'border' and 'back' parameters. A remote user can create a specially crafted URL
that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will
originate from the site running the FlatNuke software and will run in the security context of that site. As a result, the code
will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data
recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration
exploit URLs are provided:
http://[target]/forum/help.php?border=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/forum/help.php?back=%22%3E%3Csc
ript%3Ealert(document.cookie)%3C/script%3E
http://[target]/forum/footer.php?back=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/forum/footer.php?
border=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
A remote user can request the 'thumb.php' script with a specially
crafted 'image' parameter value to view arbitrary images on the target system. A remote user can also determine the installation
path via this script.
Some demonstration exploit URLs are provided:
http://[target]/flatnuke/thumb.php?image=../../non-webreadable/private/image.jpg
http://[target
]/flatnuke/thumb.php?image=http://[attacker]/image.jpg
http://[target]/flatnuke/thumb.php?image=null
http://[target]/flatnuke/index.php?mod=none_Search&find=1&where=nul
l
http://[target]/flatnuke/print.php
http://[target]/flatnuke/thumb.php?image=null
The vendor was notified on June 4, 2005.
The
vulnerability was discovered by an anonymous person and disclosed by SecWatch.
|
Impact: A remote user can execute arbitrary commands on the target system with the privileges of the target web service.
A remote user
can access the target user's cookies (including authentication cookies), if any, associated with the site running the FlatNuke software,
access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A
remote user can determine the installation path.
|
Solution: The vendor has issued a fixed version (2.5.4), described at:
http://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256
|
Vendor URL: flatnuke.sourceforge.net/ (Links to External Site)
|
Cause: Access control error, Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: info@secwatch.co.uk
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 6 Jun 2005 19:16:06 +0100 (BST)
From: info@secwatch.co.uk
Subject: FlatNuke Remote Denial of Service, Arbitrary PHP Code Execution,
|
======================================================================
SecWatch 06/06/2005
FlatNuke Remote Denial of Service, Arbitrary PHP Code Execution,
Cross-Site Scripting and Path Disclosure Vulnerabilities
======================================================================
Table of Contents
Product Introduction.................................................1
Affected ............................................................2
Severity.............................................................3
Description of Vulnerability.........................................4
Proof of Concept.....................................................5
Solution.............................................................6
Time Line............................................................7
Credits..............................................................8
======================================================================
1) Introduction
Homepage: http://flatnuke.sourceforge.net/
Overview: FlatNuke is a CMS (Content Management System), utilising flat
files for information storage.
Advisory: http://secwatch.org/advisories/secwatch/20050604_flatnuke.txt
SWID: 1010779
References:
http://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256
======================================================================
2) Affected
FlatNuke version 2.5.3.
Prior versions may also be affected.
======================================================================
3) Severity
Rating: Moderately - Highly critical
Impact: Denial of Service
System access
Cross Site Scripting
Exposure of system information
Manipulation of data
Where: From remote
Action: Public disclosure
======================================================================
4) Description of Vulnerabilities
Multiple vulnerabilities in FlatNuke have been reported, which can be
exploited by remote users to trigger denial of service conditions, execute
arbitrary PHP code, conduct Cross-Site Scripting attacks and disclose
arbitrary images and system information.
If the "/flatnuke/foot_news.php" script is accessed directly a while()
call is made that enters an infinite loop, leading to full CPU
utilisation.
HTTP referer information is stored in "/misc/flatstat/referer.php", a
remote user can submit a specially crafted HTTP request with a
non-URLencoded, spoofed referer such as "http://[attacker]/?cmd=<?php
system("cat /etc/passwd")?>", then can directly access
"http://[target]/flatnuke/misc/flatstat/referer.php" where the PHP code
will be executed. The PHP code, including operating system commands, will
run with the privileges of the target web service.
User-supplied input passed to the "border" and "back" parameters in the
"/forum/help.php" and "/forum/footer.php" scripts is not correctly
sanitised. This can be exploited to execute arbitrary script code in the
security context of an affected website, as a result the code will be able
to access any of the target user's cookies, access data recently submitted
by the target user via web form to the site, or take actions on the site
acting as the target user.
Note: Successful exploitation requires that "register_globals" is enabled.
User-supplied input passed to the "image" parameter in the "thumb.php"
script is not correctly validated. This can be exploited to disclose
arbitrary images from external and local resources via directory traversal
attacks, or to disclose the installation path.
It is also possible to disclose the system path by accessing certain
scripts directly or specially formed parameters.
======================================================================
5) Proof of Concept
Denial of Service:
http://[target]/flatnuke/foot_news.php
Arbitrary Command Execution PoC:
Demonstration exploit code has been released, available:
http://secwatch.org/exploits/2005/06/flatnuke_shell.php.info
Cross-Site Scripting:
http://[target]/forum/help.php?border=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/forum/help.php?back=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/forum/footer.php?back=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/forum/footer.php?border=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Information Disclosure:
http://[target]/flatnuke/index.php?mod=none_Search&find=1&where=null
http://[target]/flatnuke/print.php
http://[target]/flatnuke/thumb.php?image=null
Arbitrary Image Disclosure:
http://[target]/flatnuke/thumb.php?image=../../non-webreadable/private/image.jpg
http://[target]/flatnuke/thumb.php?image=http://[attacker]/image.jpg
http://[target]/flatnuke/thumb.php?image=null
======================================================================
6) Solution
The vulnerabilities have been resolved in FlatNuke version 2.5.4, available:
http://sourceforge.net/project/showfiles.php?group_id=93076&package_id=98622
Production systems should not display errors to clients.
======================================================================
7) Time Line
03/06/2005 - Infomation reported to SecWatch.
04/06/2005 - Information validated by SecWatch.
Vendor notified
05/06/2005 - Vendor responded promptly, new version (2.5.4) released
resolving issues.
Suggestion for safer referer logging method suggested.
06/06/2005 - Public disclosure.
======================================================================
8) Credits
Discovered by an anonymous person, reported via SecWatch.
NOTE: Please reply to this email if you would like to be removed from this
distribution list with a subject of 'remove'.
|
|
Go to the Top of This SecurityTracker Archive Page
|
