SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   PHP-Nuke Vendors:   Phpnuke.org
PHP-Nuke 'modules.php', 'submit.php', and 'user.php' Input Validation Flaws Allow Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1002989
SecurityTracker URL:  http://securitytracker.com/id/1002989
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Dec 18 2001
Original Entry Date:  Dec 16 2001
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  

Description:   A cross-site scripting vulnerability was reported in PHP-Nuke. A remote user can create code that, when executed on another user's browser, will appear to originate from the site running the PHP-Nuke software, and may be able to access the other user's cookies from that site.

The vulnerability is reportedly due to the lack of validation of user-supplied input in modules.php combined with the type of information provided by the php error_report function.

For example, the following type of URL will execute arbitrary javascript:

http://[host]/modules.php?op=modload&name=XForum&file=[javascript]&fid=2

In a related matter, another user [frog-man; <leseulfrog@hotmail.com>] reported flaws in some add-on functions (Downloads, Members_List) for modules.php, as well as a cross-site scripting flaw in 'submit.php' and 'user.php':

http://[host]/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=02&ttitle=[JAVASCRIPT]

http://[host]/modules.php?name=Downloads&d_op=ratedownload&lid=118&ttitle=[JAVASCRIPT]

http://[host]/modules.php?op=modload&name=Members_List&file=index&letter=[JAVASCRIPT]

http://[host]/submit.php?subject=[JAVASCRIPT]&story=[JAVASCRIPT]&storyext=[JAVASCRIPT]&op=Preview

http://[host]/user.php?op=userinfo&uname=[JAVASCRIPT]
Impact:   A remote user can create an web page or HTML-based e-mail message that contains javascript that, when executed will appear to originate from the web site running PHP-Nuke. This code will run in the victim user's browser in the security zone associated with the site running PHP-Nuke and may be able to access cookies and other sensitive information in that zone.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpnuke.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents
Date:  Sat, 15 Dec 2001 23:50:57 -0500
Subject:  Phpnuke module.php vulnerability and PHP error_reporting issue


Phpnuke module.php vulnerability and PHP error_reporting issue
Posté le Dimanche, décembre 16 @ 02:05:22 CET par acz



As you know, there are many Cross site scripting issue on Phpnuke
modules and other web application using PHP.

There is a cross site scripting issue cause :
[1] there is a lack to checks from user input in module.php
[2] PHP does not have a good deal with error reporting

I found my website vulnerable to an other cross site scripting
vulnerability, i thougt the problem was in XForum (forum
module for phpnuke)
It was also, but it was too on the way that PHP reports errors and deals
with
error messages.

[ Phpnuke module.php vulnerability and PHP error_reporting issue ]
on 16 december by Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com

As you know, there are many Cross site scripting issue on Phpnuke
modules
and other web application using PHP.

There is a cross site scripting issue cause :
[1] there is a lack to checks from user input in module.php
[2] PHP does not have a good deal with error reporting

I found my website vulnerable to an other cross site scripting
vulnerability, i thougt the problem was in XForum (forum
module for phpnuke)
It was also, but it was too on the way that PHP reports errors and deals
with
error messages.

---Vulnerable line in module.php---
include("modules/$name/$file.php");
---Vulnerable line in module.php---

Exploit :
http://host.com/modules.php?op=modload&name=XForum&file=[hostile
javascript]&fid=2

Hostile javascript could be : {script}alert(document.cookie);{/script}
that
display your cookie.
replace {} by <>

This crafted url cause the module.php script to make an PHP error
reporting
like this:

---php error report---
Warning: Failed opening 'modules/XForum/.php' for inclusion
(include_path='') in /home/foo/htdocs/modules.php on line 27
---php error report---

When your browser display the error reporting, it parses the hotile
javascript too...
I found an easy and fast way to fix this problem and other cross site
scripting issue regarding module.php and other web application using PHP
:
Just turn off PHP error reporting and wait for a fix from PHP devel team
:)
The error_reporting function should check for bad inputs.


Temp fix for phpnuke module.php:

---start of module.php---
error_reporting(0); //Add this line, Just turn off error_reporting

//original file

switch($op) {

   case "modload":/
if (!isset($mainfile)) { include("mainfile.php"); }
if (ereg("..",$name) || ereg("..",$file)) {
    echo "You are so cool";
    break;
} else {
    include("modules/$name/$file.php");
}
break;

   default:
die ("Sorry, you can't access this file directly...");
break;

}

---end of module.php---



regards,

---
Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com
http://www.iSecureLabs.com | French Security Portal


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC