[22113] in bugtraq
3 phpnuke bugs (2 possibly lead to admin privs)
daemon@ATHENA.MIT.EDU (kill-9@modernhackers.com)
Fri Aug 3 17:50:54 2001
Date: 3 Aug 2001 19:47:04 -0000
Message-ID: <20010803194704.28170.qmail@securityfocus.com>
From: <kill-9@modernhackers.com>
To: bugtraq@securityfocus.com
phpnuke (www.phpnuke.org) is an opensource
webpage portal powers
many websites on the net. Version 5.x of phpnuke
does not properly
check some variables, and is vulnerable to an attack
that gives an
intruder admin privileges.
This is only possible if the intruder knows the
database name that
phpnuke is using, and the webserver must be able to
connect to it
without a password. Although It is very unlikely that
these two
circumstances will occur, but this is a bug still worth
mentioning.
The versions 5.x of phpnuke include a new feature
involving a variable
named $prefix:
< Quote from phpnuke release >
"All database tables now has the nuke_ prefix to avoid
conflicts with
other scripts"
- New $prefix variable in config.php to setup multiple
Nuke sites
sharing one database"
</ End Quote >
The $prefix variable is defined in the config.php file
and is set
to 'nuke' by default. Along with a defualt database
of 'nuke'.
< Sample default config.php file >
$dbhost = "localhost";
$dbuname = "root";
$dbpass = "";
$dbname = "nuke";
$system = 0;
$prefix = nuke;
</ End Sample >
An attacker can take advantage of this new feature by
supplying a certian
value for the $prefix variable and creating their own
arbitrary sql query.
In the article.php file this is most easily accomplished
by bypassing the
inclusion of the mainfile.php and supplying a value for
$sid and $tid.
(bypassing mainfile.php inclusion is important
becuase mainfile.php itself
includes config.php which has the variable definition
for $prefix, and if
$prefix is not defined then an attacker can supply her
own value)
< sample code from article.php >
if(!isset($mainfile)) { include("mainfile.php"); }
if(!isset($sid) && !isset($tid)) { exit(); }
</ end sample code>
The flow of the program will then eventually enter the
following sql query:
< example query from article.php >
mysql_query("UPDATE $prefix"._stories." SET
counter=counter+1 where sid=$sid");
< / end example query >
So the following command will set all admin
passwords to '1'. Given that 'nuke'
is the name of the phpnuke database.
article.php?
mainfile=1&sid=1&tid=1&prefix=nuke.authors%
20set%20pwd=1%23
##############
Dos possibility
In addition, I noticed that in file 'modules.php' there
exists a possible
Denial of service situation where an attacker could
cause the file to recusively
include itself (or any php file on the system, because
phpnuke does not check
for '../') by using the following url:
http://site_name_with_phpnuke/modules.php?
op=modload&name=../&file=modules
Resources were consumed quickly in the tests that
were performed.
##############
Another way to get admin
The fact that any .php file on the system can be
included, means that if another
user has an account on the same machine that
phpnuke is running on, he can cause
phpnuke to include his .php file ( if he chmod it to
readable by everyone ) and
his own arbitrary code will run with permissions of the
phpnuke user. This would
lead to easy administrative access of the portal , and
access to any of the phpnuke
user's files.
by kill-9@modernhacker.com
http://www.modernhacker.com
