Author: Janek Vind "waraxe"
Date: 14. February 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-40.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Php-Nuke is a popular opensource content management system, written in php by
Francisco Burzi. This CMS is used on many thousands websites, because it's
freeware, easy to install and manage and has broad set of features.
Homepage: http://phpnuke.org
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A - Full Path Disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A1 - full path disclosure in "db/db.php":
http://localhost/nuke75/db/db.php
Fatal error: Cannot instantiate non-existent class:
sql_db in D:apache_wwwroot
uke75dbdb.php
on line 86
A2 - full path disclosure in "mainfile.php":
http://localhost/nuke75/index.php?inside_mod=1
Warning: main(../../config.php): failed to open stream:
No such file or directory in D:apache_wwwroot
uke75mainfile.php
on line 103
Fatal error: main(): Failed opening required '../../config.php'
(include_path='.;c:php4pear') in D:apache_wwwroot
uke75mainfile.php
on line 10
A3 - full path disclosure in "modules/Downloads/index.php":
http://localhost/nuke75/modules.php?name=Downloads&d_op=menu
error: Call to undefined function: opentable() in
D:apache_wwwroot
uke75modulesDownloadsindex.php on line 75
A4 - full path disclosure in "modules/Web_Links/index.php":
http://localhost/nuke75/modules.php?name=Web_Links&l_op=menu
Fatal error: Call to undefined function: opentable() in
D:apache_wwwroot
uke75modulesWeb_Linksindex.php on line 65
B - Cross-Site Scripting aka XSS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
B1 - xss in "/modules/Downloads/index.php":
http://localhost/nuke75/modules.php?name=Downloads&d_op=NewDownloads
&newdownloadshowdays=[xss code here]
B2 - xss in "/modules/Web_Links/index.php":
http://localhost/nuke75/modules.php?name=Web_Links&l_op=NewLinks
&newlinkshowdays=[xss code here]
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How to fix those bugs - http://www.waraxe.us/forums.html
Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Base64 encoder and decoder - http://base64-encoder-online.waraxe.us/
SiteMapper - free php script for phpNuke powered websites -
new version 0.2 available for download - http://sitemapper.waraxe.us/
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to icenix, Raido Kerna, g0df4th3r and slimjim100!
Tervitused - Heintz!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------
Copyright © by Waraxe IT Security Portal All Right Reserved.
Published on: 2005-02-15 (37908 reads)
[ Go Back ]