[28207] in bugtraq
PHP-Nuke code execution and XSS vulnerabilities
daemon@ATHENA.MIT.EDU (Ulf Harnhammar)
Mon Dec 16 13:31:11 2002
Date: Mon, 16 Dec 2002 16:36:02 +0100 (CET)
From: Ulf Harnhammar <ulfh@update.uu.se>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.21.0212161631340.9852-101000@Tempo.Update.UU.SE>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-293465837-781401444-1040052962=:9852"
---293465837-781401444-1040052962=:9852
Content-Type: TEXT/PLAIN; charset=US-ASCII
PHP-Nuke code execution and XSS vulnerabilities
PROGRAM: PHP-Nuke
VENDOR: Fransisco Burzi et al.
HOMEPAGE: http://phpnuke.org/
VULNERABLE VERSIONS: 6.0 (the only supported version)
IMMUNE VERSIONS: 6.0 with my patch applied
LOGIN REQUIRED: no
DESCRIPTION:
"PHP-Nuke is a Web portal and online community system which
includes Web-based administration, surveys, access statistics,
user customizable boxes, a themes manager for registered users,
friendly administration GUI with graphic topic manager, the
ability to edit or delete stories, an option to delete comments,
a moderation system, referer tracking, integrated banner ad system,
search engine, backend/headlines generation (RSS/RDF format), Web
directory like Yahoo, events manager, and support for 20+ languages."
(direct quote from the program's project page at Freshmeat)
PHP-Nuke is published under the terms of the GNU General Public
License. It is a very popular program with lots and lots of
installations. It is included as one of the packages in Debian
GNU/Linux and one of FreeBSD's ports.
Despite all this, the program has a bad reputation regarding
security matters.
SUMMARY:
PHP-Nuke has a module that implements a web mail system. When a
user reads an e-mail message with an attached file, the file in
question is stored in a web accessible directory under its normal
file name. Files with active web content, such as CGI or PHP scripts,
are handled the same way.
The module also has a cross-site scripting hole. Either problem
is serious in its own right, but when we combine them, we end up
with something very serious: an e-mail message that automatically
executes an attached PHP script when someone opens it!
TECHNICAL DETAILS:
As stated above, PHP-Nuke has got a web mail system, and it stores
attachments under their real file names in a directory where anyone
can surf to them.
There is nothing in the code that stops active content, such as
PHP scripts, from being stored in that directory. There is also no
warning against this in the program's documentation. As a result, any
attacker can execute any PHP script on the web server. The attacker
first sends the script as an attachment to any user who will read
that message in PHP-Nuke's web mail system. The attacker then waits
for the user to open the message, and finally the attacker just
surfs to a predictable WWW location. The user doesn't even have to
open the attachment, just the mail that it comes in.
As a bonus, the web mail system also has a Cross-Site Scripting
vulnerability. It doesn't remove <script> tags in HTML based e-mail
messages.
When we combine the two vulnerabilities, we find that it is possible
to construct an e-mail message that will automatically execute an
attached PHP script when an unsuspecting user opens that message!
This is very bad, as PHP scripts can access files, databases and
network resources. They can for instance store a C program in some
temporary location, compile it and execute it.
To make things even worse, the availability of anonymous remailers
and the fact that the PHP script will be accessed from the victim's
IP number and not the attacker's makes the attacker pretty anonymous.
COMMUNICATION WITH VENDOR:
I didn't contact the vendor, as Fransisco has a very bad track
record when it comes to replying to security reports.
MY "SECURITY HARDENING PACKAGE":
Instead I wrote an unofficial patch for this issue. I have patched
against version 6.0.
The patch stops this particular cross-site scripting problem by
calling the filter_text() function. As Matthew Murphy has shown
us earlier, this function is not particularly secure, so there are
other XSS problems that may be exploited.
The patch also stops PHP-Nuke from storing active web content, with
a long regular expression that only stores explicitly allowed types
of data. If your users receive weird types of data, you may have
to change the regex slightly. It also stops "../../../" traversal
attacks using the attachments' file names.
The patch doesn't address the issue of attached Word documents or
other files being available for anyone to download, if they know
the URL.
MY EXPLOIT:
I have also attached an exploit for this issue, which changes all
administrator passwords on the PHP-Nuke system to "ulf". The attacker
simply sends an HTML mail with the contents of my xss.html file as
the *mail body* and my adminexploit.php file as an attachment. As
soon as the victim opens the mail, the script is executed.
// Ulf Harnhammar
VSU Security
ulfh@update.uu.se
"I saw the worst minds of my generation / getting their political
information from tabloids / listening to Savage Garden's greatest
hits / getting married and having kids at 25 just 'cause the
neighbours did / and building the worst administrative web-based
members interface ever known to man" (To B.)
---293465837-781401444-1040052962=:9852
Content-Type: APPLICATION/zip; name="php-nuke_webmail.zip"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0212161636020.9852@Tempo.Update.UU.SE>
Content-Description:
Content-Disposition: attachment; filename="php-nuke_webmail.zip"
UEsDBBQAAAAIACSDkC3KBmyJuAAAANMAAAAQABUAYWRtaW5leHBsb2l0LnBo
cFVUCQADU/D9PTzx/T1VeAQA9AH0ASWNTQuCQBRF9/MrHhWoUBZCq74IFNwk
glpLGfWJQzM6jU4Z0X9vKriLA/dy7vYgG0nIFOIwXkT6inDBQlDG4VgJ1kIw
St6xwQwyXkNIVdtQIaiawznJIMFSKzY8TR11dxQFqoWP5Q/AW608Qlhbcl0h
WK67/MfY25pxdM2ztSGkv/H8plE97UkW+8c0gNlLKqzZ+M6pHppO9ZAEKchH
tTv5a9vSvLacyRxmVcEcIzAeY+zsLx/25ANQSwMEFAAAAAgAJIOQLX+kSWID
AwAAjAcAABYAFQBwaHAtbnVrZV93ZWJtYWlsLnBhdGNoVVQJAANT8P09PPH9
PVV4BAD0AfQBrVVdj9o4FH0efsWtF2kSJYEJlM6UAkO1XakvbaV22z6UCpnk
JrhNHMvxzDBTz3+vnbSEyQbNrrRIKMY+98TnfhyCIICtyrNhXsRXGZbDz7h5
Q1k2jDEqYsyxLGmKA7EVgyKLT94UHF5hBOEzCMPp2WQ6CWF0djbqeZ73L3la
HKPxdDKuOZZLCEbn5344Bq96PoflsgftD2YlsgQclJgyh5xvmCI+9NWWlcHi
NdIYZemQPwuukKvgb0l5maAM/uLmIoynxHVdmP6TFqCfsAxh/ptqU8S3Lzpe
z2OWvOh5h3t/tH7CB4yuJFO3kLBd++xjlsBrKvmW5jmVPnz68LHB18l8yP3g
9VY542ydonLsfddXIitoXLrw8u0r6FOlaLTNjfJyfc3wBuZzCF34YUN7wclJ
pVFQtW10NiFrezAgQzKoYJzmaISePMjP47EbWlahzp7E7Ujj8opnjH939qRd
ICs22haioYInczg9rSoYdFVQmLstk0Igb5h9IJS48O49xAxNZ1DOCwUWA1XF
V2QPXRFi7tHBnNyY8lhJwq/zcAQWZUVZwdxWizSC6r49XQ2cuIi0VIkWsfmW
epeVWu2UtnN0qXd5pr8JvEx1yswxT/UmFzoXY12kqb6h1xp3qKMi1+nlnb5j
Qm/uRlpRqaXIdYwbt3/qNzUzKfvRdaP/MW1H2LtSdwz6SPruu8b2wAuadrSO
EMVfiLoVSL5WKn5hmO07bJ0fcQQzfWj6D8iKz8RiRmErMZk/EL7Yt+ZsSBcG
RTr6uEpy7YSxGRSpvhxctSRf7UA1E2d9cDy68J+CNx4/NY/aBY34e8PdCy4X
vRW8LYDjjZUCVFlTgiKp6tLzzHlwzNal8cfcLI44+mQyHV084uiHFO3w59Pw
ojHzcBL6z8Czj/O9lVd20pdYGtG2JGuJIqOR6TBnvuKuKQyxxTGA347QjmAH
ITPr0lXQbGeX/yU0R0V/hdplE+q1Q01eFcq1wp1yakzL4/2Wq9c5qDnqDppt
ZNUazZYlshv31T+amc6fUEsDBBQAAAAIACSDkC1IPhISUAAAAFcAAAAIABUA
eHNzLmh0bWxVVAkAA1Pw/T088f09VXgEAPQB9AE1zMENgCAMAMA/YzAAHUB0
A9++K5TQpEADNXF8X94AF1earHa4RVKCjITGo4c6qewe2siP0IKL7hNZAM0w
1UbdFmBu3OlVGWxBq/rNRfi3D1BLAQIXAxQAAAAIACSDkC3KBmyJuAAAANMA
AAAQAA0AAAAAAAEAAACkgQAAAABhZG1pbmV4cGxvaXQucGhwVVQFAANT8P09
VXgAAFBLAQIXAxQAAAAIACSDkC1/pEliAwMAAIwHAAAWAA0AAAAAAAEAAACk
gfsAAABwaHAtbnVrZV93ZWJtYWlsLnBhdGNoVVQFAANT8P09VXgAAFBLAQIX
AxQAAAAIACSDkC1IPhISUAAAAFcAAAAIAA0AAAAAAAEAAACkgUcEAAB4c3Mu
aHRtbFVUBQADU/D9PVV4AABQSwUGAAAAAAMAAwDfAAAA0gQAAAAA
---293465837-781401444-1040052962=:9852--
