|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
waraxe-2005-SA#040 - Full path disclosure and XSS in PhpNuke |
|
Posted: Mon Feb 14, 2005 10:20 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Author: Janek Vind "waraxe"
Date: 14. February 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-40.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Php-Nuke is a popular opensource content management system, written in php by
Francisco Burzi. This CMS is used on many thousands websites, because it's
freeware, easy to install and manage and has broad set of features.
Homepage: http://phpnuke.org
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A - Full Path Disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A1 - full path disclosure in "db/db.php":
http://localhost/nuke75/db/db.php
Fatal error: Cannot instantiate non-existent class:
sql_db in D:\apache_wwwroot\nuke75\db\db.php
on line 86
A2 - full path disclosure in "mainfile.php":
http://localhost/nuke75/index.php?inside_mod=1
Warning: main(../../config.php): failed to open stream:
No such file or directory in D:\apache_wwwroot\nuke75\mainfile.php
on line 103
Fatal error: main(): Failed opening required '../../config.php'
(include_path='.;c:\php4\pear') in D:\apache_wwwroot\nuke75\mainfile.php
on line 10
A3 - full path disclosure in "modules/Downloads/index.php":
http://localhost/nuke75/modules.php?name=Downloads&d_op=menu
error: Call to undefined function: opentable() in
D:\apache_wwwroot\nuke75\modules\Downloads\index.php on line 75
A4 - full path disclosure in "modules/Web_Links/index.php":
http://localhost/nuke75/modules.php?name=Web_Links&l_op=menu
Fatal error: Call to undefined function: opentable() in
D:\apache_wwwroot\nuke75\modules\Web_Links\index.php on line 65
B - Cross-Site Scripting aka XSS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
B1 - xss in "/modules/Downloads/index.php":
http://localhost/nuke75/modules.php?name=Downloads&d_op=NewDownloads
&newdownloadshowdays=[xss code here]
B2 - xss in "/modules/Web_Links/index.php":
http://localhost/nuke75/modules.php?name=Web_Links&l_op=NewLinks
&newlinkshowdays=[xss code here]
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How to fix those bugs - http://www.waraxe.us/forums.html
Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Base64 encoder and decoder - http://base64-encoder-online.waraxe.us/
SiteMapper - free php script for phpNuke powered websites -
new version 0.2 available for download - http://sitemapper.waraxe.us/
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to icenix, Raido Kerna, g0df4th3r and slimjim100!
Tervitused - Heintz!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------ |
|
Last edited by waraxe on Sun Feb 12, 2006 11:07 pm; edited 1 time in total |
|
|
|
|
|
|
|
Posted: Tue Feb 15, 2005 4:23 pm |
|
|
MaDeRkAn |
Regular user |
|
|
Joined: Feb 15, 2005 |
Posts: 5 |
|
|
|
|
|
|
|
Can you give me an example for xss code in here and What do I need to know xss code ? I'm beginner at this part. |
|
_________________ NoTHinG is SeCuRe |
|
|
|
Posted: Tue Feb 15, 2005 7:13 pm |
|
|
sp3x |
Valuable expert |
|
|
Joined: Feb 15, 2005 |
Posts: 10 |
|
|
|
|
|
|
|
i have question to waraxe....
Where can i report bugs in phpnuke.... is there any mail to them ??
and also the same question but in postnuke ...
thanks for info... |
|
|
|
|
Posted: Tue Feb 15, 2005 8:28 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Feb 15, 2005 8:40 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
sp3x wrote: | i have question to waraxe....
Where can i report bugs in phpnuke.... is there any mail to them ??
and also the same question but in postnuke ...
thanks for info... |
Phpnuke is unique software, because there is very big number of
the various derivations, versions, editions, patches, etc...
And if you will try to contact with Francisco Burzi himself, then you
just will not get any answer. So, if i will discover some major security
hole in most of the phpnuke versions, then what i can do - try to
contact with all of the derivations authors? Its impossible...
So in case of phpnuke i will just release public advisory to
securityfocus, secunia and other lists and patches will be coming out
soon, thats sure. Of course, many sites will get hurt because of the
phpnuke insecurity (before they will be patched), but thats the life.
Postnuke authors are far more concerned about security and
they can be contacted before public advisory, so they can develope
patch before attacks go wild. Look here :
http://waraxe.us/ftopict-18.html |
|
|
|
|
|
|
Hi Waraxe |
|
Posted: Wed Feb 16, 2005 8:47 am |
|
|
Zeelock |
Active user |
|
|
Joined: Jan 27, 2005 |
Posts: 29 |
Location: Where stars come out at night |
|
|
|
|
|
|
Developer is Francesco Burzi, not Francisco ;->
I always like your work. You should do some workshops as well.
The rest of the world should learn from you.
Cheers |
|
_________________ If it seems to be impossible, just step up your level! |
|
|
|
Posted: Wed Feb 16, 2005 9:31 pm |
|
|
sp3x |
Valuable expert |
|
|
Joined: Feb 15, 2005 |
Posts: 10 |
|
|
|
|
|
|
|
hmmm this is very bad...
soooo you suggest to post the bugs to bugtraq ??
with no contact phpnuke team...
i have some bugs and there are critical also
What do you suggest ??
thanks for help ... |
|
|
|
|
Posted: Wed Feb 16, 2005 9:38 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
sp3x wrote: | hmmm this is very bad...
soooo you suggest to post the bugs to bugtraq ??
with no contact phpnuke team...
i have some bugs and there are critical also
What do you suggest ??
thanks for help ... |
No, i suggest to try to contact with phpnuke team, of course.
What i am saing, is that i personally have bad experience with phpnuke security bugs reporting to developers. Its my personal experience and
to you i suggest to try to report security probs as by good traditions. |
|
|
|
|
Posted: Wed Feb 16, 2005 10:17 pm |
|
|
sp3x |
Valuable expert |
|
|
Joined: Feb 15, 2005 |
Posts: 10 |
|
|
|
|
|
|
|
thanks
but how ??
is there any mail to them.... on their site i dont see any contact to report the bugs... |
|
|
|
|
Posted: Mon Mar 14, 2005 6:42 pm |
|
|
KingOfSka |
Advanced user |
|
|
Joined: Mar 13, 2005 |
Posts: 61 |
|
|
|
|
|
|
|
i'm testing this exploit on a site, the full path exploit works, but the xss injection always says "The html tags you attempted to use are not allowed", and i've tryied many way...
any idea ? |
|
|
|
|
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|