RE: Multiple vulnerabilities PHP-Nuke

[Jeruvy <jeruvy () shaw ca>]

I fail to see the difference between restricting access to the module
and a patch.  Are you saying this vulnerability you disclosed is only
affected by valid users?  If so, wouldn't that lend itself to
verification, and if its not the user normally seen would you not DENY
them?  I sure would.

What exactly are you claiming is bad code?  

As for your other rhetorical remarks about php-nuke and the patch
situation, they are not new, and have been discussed in numerous forums
pertaining to NUKE found all over the world.  Certainly you can google
those results as well as I.  I would suggest you visit the official
support site for phpnuke for that patches.  Only one site officially but
many unofficially.  Some of these same problems were patched back in
August 2003.

As for the reviews module in CPG-Nuke in fact it does exist, its simply
not installed by default.  One of the mandates of CPG-Nuke was to reduce
to bloat of little used modules, and reviews was one of them.  But I
doubt the code gets processed in the same manner regardless of the
similarities of the module and I think most would agree this module
needs a rewrite.  You must review the changes to the abstraction layer
before you assume the module has holes, based on a distribution that is
KNOWN to be not patched up to date, nor using the same ABL.  Why, I
don't know either.

PhpBB integration does in fact care about magic quotes, but it's only
used inside the context of the module forum, not any other context that
I'm aware of.  I'm in the process of testing the vulnerabilities in the
session handling, and there are some bugs for certain.  I will eagerly
await any further disclosures.

But since so many of these vulnerabilities rely upon exposure and
exploits to gain exposure, the fixes are eliminated the ones noticed so
far, and the new vulnerabilities are not using any new methods to gain
access.  So these exploits below are simply old, not new.

Thanks,

J.
j e r u v y a t s h a w d o t c a 


> -----Original Message-----
> From: Squid [mailto:squidsecurity () hushmail com]
> Sent: Wednesday, June 09, 2004 12:21 AM
> To: bugtraq () securityfocus com
> Subject: Re: Multiple vulnerabilities PHP-Nuke
>
>
> In-Reply-To: <000001c44d6d$e6897a80$2002a8c0@alucxp1>
>
> Since you said patches have been available for "many, many
> months", please provide links to them.  It appears you merely 
> restricted access to this module on your site not that these 
> were necessarily fixed.  A check of the patched code though 
> will show for sure whether the problems were previously addressed. 
>
>
>
> Even so, there has been at least two upgrades for PHPNuke in
> the past couple months.  If security patches are issued by 
> third-parties but not incorporated into the main 
> distribution, this leaves brand new users, hosts which offer 
> auto-install versions, and those who upgrade susceptible to 
> unfixed known vulnerabilities.  It also passes on the same 
> ones to forked projects. 
>
>
>
> I agree CPG-Nuke is not affected.  They do not have a Reviews
> module at least not in the default distribution.  betaNC 
> Bundle and OSC2Nuke though have the same vulnerabilities 
> reported here.  Other forks may have it too.
>
>
>
> Ref Dark's para 2A: I couldn't reproduce this on Linux.  The
> warning for date() resulting in full path disclosure may be 
> Windows unique.
>
>
>
> Ref Dark's para 2B: This occurs only when magic_quotes_gpc is
> set to off.  PhpNuke is not written to handle it being either 
> on and off.  It must be on.  I'll bet there are other 
> vulnerabilities present in the script when it's off.
>
>
>
> Squid
>
>
>
> -----
>
>
>
> > This does not apply to any site that has applied the security fixes
>
> > available for many, many months.  This is only affecting phpnuke.org
>
> > distro's, not any 'modified' or 'secured' distro, like betaNC,
> > CPG-NUKE,
>
> > and others...
>
> >
>
> > No additional patches dealing with these specifics below applied to
>
> > php-nuke 7.0 only the security patches.
>
> >
>
> > A. Generates a proper ACCESS DENIED page, no PATH DISCLOSURE. =20
>
> > -------------------------------------------------------------
>
> > RESULT:
>
> >
>
> > "You are trying to access a restricted area.
>
> >
>
> > We are Sorry, but this section of our site is for Registered Users
> > Only.
>
> > You can register for free by clicking here, then you can
>
> > access this section without restrictions. Thanks."
>
> >
>
> > B. No CSS exploit.  Same result as above.  Below example was
> sanitized
>
> > prior to GET:
>
> > -------------------------------------------------------------
> ----------
> > -
>
> > ------------
>
> > RESULT:
>
> >
>
> > modules.php?name=3DReviews&rop=3Dpostcomment&id=3D'%3Ch1%3EDa
> rkBicho%3C
> > /h=
>
> > 1&tit
>
> > le=3Da
>
> > modules.php?name=3DReviews&rop=3Dpostcomment&id=3D'&title=3D%
> 3Ch1%3EDar
> > kB=
>
> > icho%3C
>
> > /h1%3E
>
> >
>
> >
>
> > So as long as you've addressed the age-old bugs that still
> haven't been
>
> > fixed in the basic PHP-Nuke distro's then you may be vulnerable.
>
> > However these methods have long been squashed in patches
> available, and
>
> > do not affect newer, secure distro's such as betaNC or CPG-Nuke.
>
> >
>
> > Again, I added no new patches to test these potentials in the last 30
>
> > days.  And they simply are not a factor.
>
> >
>
> > Sincerely,
>
> >
>
> > J.
>
> > j e r u v y a t s h a w d o t c a=20