 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
SA#033 - Multiple security holes in PhpNuke - part 1 |
 |
 Posted: Wed Jun 23, 2004 12:09 am |
 |
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
 |
|
 |
|
OK, lets start form full path dislosure bugs.
Open the file "/modules/Web_Links/voteinclude.php" and in the beginning you will find
| Code: |
$module_name = basename(dirname(__FILE__));
require("modules/$module_name/l_config.php");
require_once("mainfile.php");
|
Add additional code, so it will be as
| Code: |
$module_name = basename(dirname(__FILE__));
if (eregi($module_name, $_SERVER['PHP_SELF']))
{
die ("Script halted!");
}
require("modules/$module_name/l_config.php");
require_once("mainfile.php");
|
Next, open file "/modules/Statistics/index.php" and locate this code fragment @ end of file:
| Code: |
case "DailyStats":
DailyStats($year,$month,$date);
break;
case "convert_month":
convert_month($month);
break;
}
|
And just delete legacy function, so final code will be
| Code: |
case "DailyStats":
DailyStats($year,$month,$date);
break;
}
|
Next open file "modules/Journal/add.php" and find this (~line 98):
| Code: |
$tempcount = 0;
$direktori = "modules/$module_name/images/moods";
$handle=opendir($direktori);
while ($file = readdir($handle)) {
$filelist[] = $file;
}
asort($filelist);
|
And add array initialization code:
| Code: |
$tempcount = 0;
$filelist = array();
$direktori = "modules/$module_name/images/moods";
$handle=opendir($direktori);
while ($file = readdir($handle)) {
$filelist[] = $file;
}
asort($filelist);
|
Now open the file "modules/Journal/modify.php" and find this (~ line92):
| Code: |
$tempcount = 0;
$direktori = "modules/$module_name/images/moods";
$handle=opendir($direktori);
while ($file = readdir($handle)) {
$filelist[] = $file;
}
asort($filelist);
|
And add code, as in previous case:
| Code: |
$tempcount = 0;
$filelist = array();
$direktori = "modules/$module_name/images/moods";
$handle=opendir($direktori);
while ($file = readdir($handle)) {
$filelist[] = $file;
}
asort($filelist);
|
Now its time to move @ XSS bugs wipeout.
Open file "/modules/Journal/friend.php" and find this (~line 37):
| Code: |
startjournal($sitename,$user);
$jid = intval($jid);
$sql = "select title from ".$prefix."_journal where jid='$jid'";
$result = $db->sql_query($sql);
|
And lets initialize some variables properly, so code will be as:
| Code: |
startjournal($sitename,$user);
$jid = intval($jid);
$yn=$yun=$ye='';
$sql = "select title from ".$prefix."_journal where jid='$jid'";
$result = $db->sql_query($sql);
|
Next open file "modules/Journal/delete.php" and find this @ beginning:
| Code: |
require_once("mainfile.php");
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
$pagetitle = "- "._USERSJOURNAL."";
|
And add sanitize code, so result will be as:
| Code: |
require_once("mainfile.php");
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
$jid = intval($jid);
$pagetitle = "- "._USERSJOURNAL."";
|
Next open file "modules/Journal/comment.php" and find this (~line 56):
| Code: |
if ($debug == "true") :
echo ("UserName:$username<br>SiteName: $sitename");
endif;
startjournal($sitename,$user);
|
And add sanitize code, so final result will be as:
| Code: |
if ($debug == "true") :
echo ("UserName:$username<br>SiteName: $sitename");
endif;
$onwhat = intval($onwhat);
startjournal($sitename,$user);
|
Next, open file "modules/Journal/commentsave.php" and find this (~line 57):
| Code: |
startjournal($sitename,$user);
$sql="INSERT INTO ".$prefix."_journal_comments VALUES ('','$rid','$username','$comment','$ndate','$mtime')";
$db->sql_query($sql);
update_points(2);
echo ("<br>");
|
Add sanitize code, so result will be as:
| Code: |
startjournal($sitename,$user);
$rid = intval($rid);
$sql="INSERT INTO ".$prefix."_journal_comments VALUES ('','$rid','$username','$comment','$ndate','$mtime')";
$db->sql_query($sql);
update_points(2);
echo ("<br>");
|
OK, we have XSS bugs patched for now.
Let's move on. Now we gonna fix that huge sql injection hole and additionally one potential xss hole.
So - open file "modules/Journal/search.php" and find this (~line 43):
| Code: |
cookiedecode($user);
$username = $cookie[1];
if (!isset($bywhat)):
$bywhat = "naddaanythang";
else :
$bywhat = stripslashes($bywhat);
endif;
if (!isset($forwhat)):
$forwhat = "naddaanythang";
else :
$forwhat = stripslashes($forwhat);
endif;
startjournal($sitename,$user);
|
Now, lets modify code, so result will be as:
| Code: |
cookiedecode($user);
$username = $cookie[1];
if (($bywhat != 'aid') && ($bywhat != 'title') && ($bywhat != 'bodytext') && ($bywhat != 'comment'))
{
$bywhat = 'naddaanythang';
}
if (!isset($forwhat))
{
$forwhat = 'naddaanythang';
}
startjournal($sitename,$user);
|
Next find this code from same file (~line 80):
| Code: |
function search($username,$bywhat,$forwhat,$sitename,$bgcolor2,$bgcolor3,$user) {
global $prefix, $user_prefix, $db, $module_name, $exact;
echo "<br>";
OpenTable();
echo ("<div align=center>");
if ($exact == '1') {
echo ("<strong>"._JOURNALFOR.": \"$forwhat\"</strong><br><br>");
} else {
echo ("<strong>"._SEARCHRESULTS.": \"$forwhat\"</strong><br><br>");
} |
And add sanitize code, so the result will be as:
| Code: |
function search($username,$bywhat,$forwhat,$sitename,$bgcolor2,$bgcolor3,$user) {
global $prefix, $user_prefix, $db, $module_name, $exact;
$forwhat2 = htmlentities(stripslashes($forwhat));
echo "<br>";
OpenTable();
echo ("<div align=center>");
if ($exact == '1') {
echo ("<strong>"._JOURNALFOR.": \"$forwhat2\"</strong><br><br>");
} else {
echo ("<strong>"._SEARCHRESULTS.": \"$forwhat2\"</strong><br><br>");
}
|
Next, find this piece of code from same file (~line 152):
| Code: |
if ($row[aid] == $username) :
printf ("<td align=center bgcolor=$bgcolor2><a href=\"modules.php?name=$module_name&file=modify&jid=%s\"><img src='modules/$module_name/images/edit.gif' border='0' alt=\""._EDIT."\" title=\""._EDIT."\"></a></td>", $row[jid], $row[title]);
printf ("<td align=center bgcolor=$bgcolor2><a href=\"modules.php?name=$module_name&file=delete&jid=%s&forwhat=$forwhat\"><img src='modules/$module_name/images/trash.gif' border='0' alt=\""._DELETE."\" title=\""._DELETE."\"></a></td>", $row[jid], $row[title]);
else :
|
Modify "$forwhat" to "$forwhat2", so result will be as:
| Code: |
if ($row[aid] == $username) :
printf ("<td align=center bgcolor=$bgcolor2><a href=\"modules.php?name=$module_name&file=modify&jid=%s\"><img src='modules/$module_name/images/edit.gif' border='0' alt=\""._EDIT."\" title=\""._EDIT."\"></a></td>", $row[jid], $row[title]);
printf ("<td align=center bgcolor=$bgcolor2><a href=\"modules.php?name=$module_name&file=delete&jid=%s&forwhat=$forwhat2\"><img src='modules/$module_name/images/trash.gif' border='0' alt=\""._DELETE."\" title=\""._DELETE."\"></a></td>", $row[jid], $row[title]);
else :
|
Finally, find this code fragment from same file (~line 168):
| Code: |
echo ("</table>");
if ($dcount == "") { $dcount = 0; }
echo ("<br><div align=center>$dcount "._PUBLICFOR." \"$forwhat\"</div>");
endif;
echo ("</div>");
CloseTable();
|
And change "$forwhat" to "$forwhat2", so it will be as:
| Code: |
echo ("</table>");
if ($dcount == "") { $dcount = 0; }
echo ("<br><div align=center>$dcount "._PUBLICFOR." \"$forwhat2\"</div>");
endif;
echo ("</div>");
CloseTable();
|
Now we have pathed those nasty security holes in search subsystem.
Its time to move on - let's fix authorization flaws.
To be continued... |
|
Last edited by waraxe on Sat Apr 16, 2005 2:49 pm; edited 4 times in total |
|
|
|
|
|
|
|
| Posted: Wed Jun 23, 2004 10:54 am |
|
|
| SteX |
| Advanced user |
 |
|
| Joined: May 18, 2004 |
| Posts: 181 |
| Location: Serbia |
|
|
|
|
|
|
good job.. |
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
| Posted: Wed Jun 23, 2004 9:19 pm |
|
|
| Kliber |
| Beginner |
 |
|
| Joined: Jun 14, 2004 |
| Posts: 2 |
| Location: Venezuela |
|
|
|
|
|
|
Ill be waiting  hope it teach me how to fix the insecure stuff in scripts like My_Egallery  |
|
|
|
|
| Posted: Thu Jun 24, 2004 9:06 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| I must finish phpnuke securing first, thats my priority #1 right now. Coz i will use phpnuke for my website and it must be as bugfree as possible. |
|
|
|
|
| Posted: Fri Jun 25, 2004 3:10 pm |
|
|
| Spacebom |
| Regular user |
|
|
| Joined: May 20, 2004 |
| Posts: 6 |
| Location: Valladolid - Spain |
|
|
|
|
|
|
Yeah, very very great work waraxe, congratulations!!
| Quote: | | I must finish phpnuke securing first |
Yes, between all we can fix almost all 
Good Work.
David - DesarrolloNuke.org
P.D.: What's the meaning of "Coz"? This is a irregular expression?
Thank you for all |
|
|
|
|
| Posted: Fri Jun 25, 2004 3:37 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Spacebom wrote: | Yeah, very very great work waraxe, congratulations!!
| Quote: | | I must finish phpnuke securing first |
Yes, between all we can fix almost all
Good Work.
David - DesarrolloNuke.org
P.D.: What's the meaning of "Coz"? This is a irregular expression?
Thank you for all |
"Coz" == "because" |
|
|
|
|
| Posted: Fri Jun 25, 2004 3:39 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
This "Journal" module is killin' me...
I have found another stream of holes in it, grr |
|
|
|
|
| Posted: Mon Jun 28, 2004 12:37 pm |
|
|
| sarah |
| Regular user |
 |
|
| Joined: Jun 25, 2004 |
| Posts: 5 |
|
|
|
|
|
|
|
| waraxe wrote: | This "Journal" module is killin' me...
I have found another stream of holes in it, grr |
bows down to thy new php master. |
|
|
|
|
| Posted: Fri Aug 20, 2004 7:27 pm |
|
|
| hexum |
| Beginner |
|
|
| Joined: Aug 20, 2004 |
| Posts: 1 |
|
|
|
|
|
|
|
Wow, who would of ever guessed nuke had these many security flaws?
Our site just got hacked a few days ago and I was lucky enough to find WarAxe.
So how is 7.4 so far? Pretty secure? Anyone looked? |
|
|
|
|
| Posted: Sat Oct 23, 2004 5:44 pm |
|
|
| donie |
| Beginner |
|
|
| Joined: Oct 23, 2004 |
| Posts: 1 |
| Location: Indonesia |
|
|
|
|
|
|
Hello Kliber,
about My_eGallery patch, I just know this way
open modules/My_eGallery/public/displayCategory.php
add this codes after <?php
| Code: |
$basepath = strtolower();
$adminpath = strtolower($adminpath);
$awas = strpos($basepath,"http");
$awas2 = strpos($basepath,"ftp");
$hati = strpos($adminpath,"http");
$hati2 = strpos($adminpath,"ftp");
if ($awas === false && $awas2 === false && $hati === false && $hati2 === false) {
if (eregi("displayCategory.php",$_SERVER['PHP_SELF'])) {
die();
}
|
at the bottom file before ?>
add this codes
I hope can help.
I dont know the other way  |
|
|
|
|
| Posted: Sat Sep 16, 2006 8:29 am |
|
|
| forahobby |
| Beginner |
 |
|
| Joined: Sep 13, 2006 |
| Posts: 2 |
|
|
|
|
|
|
|
Great reading.. Thanks again waraxe you legend..
Lots of great tips..
hobbs |
|
|
|
|
www.waraxe.us Forum Index -> How to fix
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 151
Members: 0
Total: 151
