Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Phpnuke module.php vulnerability and php error_reporting issue

From: Mike Eheler <meheler () searchbc com>
Date: Mon, 17 Dec 2001 12:59:04 -0800
This is a known vulnerability for quite some time now. I'd also like to propose an alternative solution to the module.php problem. 

Please scrutinize this code, if there is more security problems with it.

Mike

<?php
// modules.php
switch ($op) {
  case 'modload':
    // why this guy didn't juse use include_once throughout the site
    // is beyond me.
    if (!isset($mainfile)) { include('mainfile.php'); }
    $tmp = pathinfo(realpath('./modules/index.html'));
    $tmp2 = pathinfo(realpath("modules/$name/$file.php"));
    $cmp1 = substr($tmp2['dirname'],0,strlen($tmp['dirname']));
    $cmp2 = $tmp['dirname'];
    if (strlen($tmp2['dirname']) > 0) {
      if (file_exists($tmp2['dirname'])) {
        if ($cmp1 == $cmp2) {
          include("modules/$name/$file.php");
        } else {
          // If you care to, log the action, and give the user a
          // threatening message.
die('Naughty! Your IP address has been logged and emailed to the site admin!'); 
        }
      } else {
        die('File does not exist.');
      }
    } else {
      die('File does not exist.');
    }
    break;

  default:
    die("Sorry, you can't access this file directly...");
    break;
}
?>

Cabezon Aurélien wrote:


[ Phpnuke module.php vulnerability and PHP error_reporting issue ]
on 16 december by Cabezon Aurélien | aurelien.cabezon () iSecureLabs com

As you know, there are many Cross site scripting issue on Phpnuke modules
and other web application using PHP.

There is a cross site scripting issue cause :
[1] there is a lack to checks from user input in module.php
[2] PHP does not have a good deal with error reporting

I found my website vulnerable to an other cross site scripting
vulnerability, i thougt the problem was in XForum (forum
module for phpnuke)
He was also, but it was too on the way that PHP report errors and deals with
error messages.

---Vulnerable line in module.php---
include("modules/$name/$file.php");
---Vulnerable line in module.php---

Exploit :
http://host.com/modules.php?op=modload&name=XForum&file=[hostile
javascript]&fid=2

Hostile javascript could be : {script}alert(document.cookie);{/script} that
display your cookie.
replace {} by <>

This crafted url cause the module.php script to make an PHP error reporting
like this:

---php error report---
Warning: Failed opening 'modules/XForum/.php' for inclusion
(include_path='') in /home/foo/htdocs/modules.php on line 27
---php error report---

When your browser display the error reporting, it parses the hotile
javascript too...
I found an easy and fast way to fix this problem and other cross site
scripting issue regarding module.php and other web application using PHP :
Just turn off PHP error reporting and wait for a fix from PHP devel team :)
The error_reporting function should check for bad inputs.


Temp fix for phpnuke module.php:

---start of module.php---
error_reporting(0); //Add this line, Just turn off error_reporting

//original file

switch($op) {

    case "modload":/
 if (!isset($mainfile)) { include("mainfile.php"); }
 if (ereg("\.\.",$name) || ereg("\.\.",$file)) {
     echo "You are so cool";
     break;
 } else {
     include("modules/$name/$file.php");
 }
 break;

    default:
 die ("Sorry, you can't access this file directly...");
 break;

}

---end of module.php---



regards,

---
Cabezon Aurélien | aurelien.cabezon () iSecureLabs com
http://www.iSecureLabs.com | French Security Portal
Previous By Date Next
Previous By Thread Next

Current thread: