[21944] in bugtraq
Re: SERIOUS BUG IN PHPNUKE
daemon@ATHENA.MIT.EDU (supergate@twlc.net)
Fri Jul 27 17:49:26 2001
From: supergate@twlc.net
Message-ID: <000e01c116e3$ccf30370$6ed1623e@supergate>
To: "MegaHz" <costcon@cytanet.com.cy>, <VULN-DEV@securityfocus.com>,
<INCIDENTS@securityfocus.com>, <bugtraq@securityfocus.com>
Cc: <mc2@securitywire.com>
Date: Fri, 27 Jul 2001 23:33:32 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
i dont find it a serious bug... they can just ruin their details page... so
who cares...however if u want a serious bug of php nuke... well there is one
that allows to read any file on the sytem look at:
http://www.twlc.net/article.php?sid=318
Mauro.
admin of twlc dot net
bug in nuke addon@#! DANGEROUS++!!!
Posted on Friday, July 13 @ 19:53:31 CDT
topic: advisories
Evening everyone..
Sorry to tell you: php nuke addon is BUGGY. it got a *HUGE* bug that
allows reading of every file on the system. let me explain you the bug...
To do active forums and shit like that the author had to put:
echo "<tr valign="top"><td bgcolor="#ffffff"> ";
if (file_exists($content)) {
$fp = fopen ($content, "r");
$content = fread($fp, filesize($content));
fclose ($fp);
$content = "?>$content<?";
echo eval($content);
} else {
echo $content;
}
echo "</td></tr></table> ";
replacing
."<tr valign="top"><td bgcolor="#ffffff"> "
."$content "
."</td></tr></table> "
ON EACH THEME file... so what this code does? it check the content of
the block and if this is a file it 'executes' it ... now i was like 'and if
i put something like this'
<?php
$db = "config.php";
$fdb = @file($db);
$ldb = count($fdb);
while ($ldb>=0){
echo $fdb [$ldb];
$ldb--;
};
?>
(sorry for the code, but i am not a php guru:P)
and name it to exploit.php and put it in the main directory? it simply
allowed me to read config.php but a friend of mine (shockzor THANK YOU BRO)
told me "who could put a file like that on ur webserver" (i didnt made the
test to upload it on my anonymous ftp but i think it could work:)) but thats
just a possibility that this routine gives to you cus i went ahead doing
these tests and and i found that this SIMPLY ALLOWS ANY FILE READING ON THE
SYSTEM LOOK:
(sg|code) u got autoexec.bat under c: ?
(shockzor) no
(shockzor) autoexec.nt
(sg|code) good
(sg|code) Menu for shit
<sg|code>
(sg|code) lh %SystemRoot%system32mscdexnt.exe lh %SystemRoot%system32
edir lh %SystemRoot%system32dosx
(sg|code) now
(sg|code) since i am
(sg|code) 31337
(sg|code) WHAT?
(sg|code) EHEH
(shockzor) i dont think you can get out of the www root
(sg|code) u think wrong
(sg|code) cus i just did
well u got to fixes:
1) bring back your themes file to:
."<tr valign="top"><td bgcolor="#ffffff"> "
."$content "
."</td></tr></table> "
2) get user.php go at the end of the file where there is:
switch($op) {
look down since you find
case "edithome":
edithome();
break;
case "savehome":
savehome($uid, $uname, $theme, $storynum, $ublockon, $ublock);
break;
remove this shit so users cant create their "home menu"
thanks for the attention.
btw i would like to thank shockzor that helped me making the tests!
thanks bro..!:D thanks also goes out to all in #twlc on undernet
peace out
(thanks goes out also to the authors of php nuke and php nuke addon, i
run em and i like em a lot ! keep up the good work)
Mauro
aka supergate
root@twlc.net
http://www.twlc.net
the following text has been posted to
http://www.twlc.net
http://www.phpnuke.org
http://www.nukeaddon.com
----- Original Message -----
From: "MegaHz" <costcon@cytanet.com.cy>
To: <VULN-DEV@securityfocus.com>; <INCIDENTS@securityfocus.com>;
<bugtraq@securityfocus.com>
Cc: <mc2@securitywire.com>
Sent: Friday, July 27, 2001 4:41 PM
Subject: SERIOUS BUG IN PHPNUKE
> Yes, phpnuke.org, was contacted....
>
> First take a look at:
> http://phpnuke.org/user.php?op=userinfo&uname=MegaHz
>
>
> Then, read this.................
> PHPnuke Bugs.
>
> After testing just a few scripts on phpnuke I have noticed the following:
>
> Some fields in the registration form allow code
> and fail to filter out the tags.
> e.g Interests: src=http://www.anything.com/defaced.gif>
>
> Also when faking a form and posting from local file (user.php.html)
> after editing a few fields like the avatar picture for example,
> it is possible to escape surtain dirs with the ../../../../dir/pic.gif
> in the options field.
>
> (-- This is a local html file and set to post to user.php on the target
> server --)
> (no this is not a tag :P )
>
>
> 001.gif
> 002.gif
>
>
>
> This tells user.php to save the avatar path as
> http://www.target.com/../../../dir_on_server/anyfile.ext and loads the
file
> when the user info of the attacker is viewed.
>
> As we know webbugs (invisible or visible pics can be used for tracing)
>
> The preview of the Registration Form allows Javascript in the
> body. (not the user.php) but it does not allow ' or " . BUT you can user /
> instead of '
> so this helps to will in variables in javascript.
>
> This can damage the site and make it look ugly.
>
> I coulnt be bothered to look at the rest of phpnuke...
>
>
> Tested on phpnuke v5.0
>
> Firstly discovered by: dinopio
>
>
>
> =================================================
> Andreas Constantinides (MegaHz)
> Owner - Admin of cHp - http://www.cyhackportal.com
> megahz@cyhackportal.com
> ICQ#: 30136845
> =================================================
