[waraxe-2005-SA#040] - Full path disclosure and XSS in PhpNuke 6.x-7.6

[Janek Vind <come2waraxe () yahoo com>]

{================================================================================}
{                              [waraxe-2005-SA#040]   
                          }
{================================================================================}
{                                                     
                          }
{                [ Full path disclosure and XSS in
PhpNuke 6.x-7.6 ]             }
{                                                     
                          }
{================================================================================}
                                                      
                                                      
                  
Author: Janek Vind "waraxe"
Date: 14. February 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-40.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is a popular opensource content management
system, written in php by
Francisco Burzi. This CMS is used on many thousands
websites, because it's 
freeware, easy to install and manage and has broad set
of features.

Homepage: http://phpnuke.org


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


A - Full Path Disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A1 - full path disclosure in "db/db.php":

http://localhost/nuke75/db/db.php

Fatal error: Cannot instantiate non-existent class:
sql_db in D:\apache_wwwroot\nuke75\db\db.php
on line 86


A2 - full path disclosure in "mainfile.php":

http://localhost/nuke75/index.php?inside_mod=1

Warning: main(../../config.php): failed to open
stream:
No such file or directory in
D:\apache_wwwroot\nuke75\mainfile.php
on line 103

Fatal error: main(): Failed opening required
'../../config.php' 
(include_path='.;c:\php4\pear') in
D:\apache_wwwroot\nuke75\mainfile.php
on line 10


A3 - full path disclosure in
"modules/Downloads/index.php":

http://localhost/nuke75/modules.php?name=Downloads&d_op=menu

error: Call to undefined function: opentable() in
D:\apache_wwwroot\nuke75\modules\Downloads\index.php
on line 75



A4 - full path disclosure in
"modules/Web_Links/index.php":

http://localhost/nuke75/modules.php?name=Web_Links&l_op=menu

Fatal error: Call to undefined function: opentable()
in
D:\apache_wwwroot\nuke75\modules\Web_Links\index.php
on line 65



B - Cross-Site Scripting aka XSS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

B1 - xss in "/modules/Downloads/index.php":

http://localhost/nuke75/modules.php?name=Downloads&d_op=NewDownloads
&newdownloadshowdays=[xss code here]


B2 - xss in "/modules/Web_Links/index.php":

http://localhost/nuke75/modules.php?name=Web_Links&l_op=NewLinks
&newlinkshowdays=[xss code here]



How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


How to fix those bugs -
http://www.waraxe.us/forums.html


Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Base64 encoder and decoder -
http://base64-encoder-online.waraxe.us/

SiteMapper - free php script for phpNuke powered
websites -
new version 0.2 available for download -
http://sitemapper.waraxe.us/


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to icenix, Raido Kerna, g0df4th3r and
slimjim100!
Tervitused - Heintz!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe () yahoo com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ]
------------------------------------



                
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
http://info.mail.yahoo.com/mail_250
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html