[28283] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
PHP-Nuke mail CRLF Injection vulnerabilities

daemon@ATHENA.MIT.EDU (Ulf Harnhammar)
Fri Dec 20 21:32:30 2002

Date: Fri, 20 Dec 2002 11:32:21 +0100 (CET)
From: Ulf Harnhammar <ulfh@update.uu.se>
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
        full-disclosure@lists.netsys.com
Message-ID: <Pine.LNX.4.21.0212201129530.28284-200000@Tempo.Update.UU.SE>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-293465837-1101336171-1040380341=:28284"

---293465837-1101336171-1040380341=:28284
Content-Type: TEXT/PLAIN; charset=US-ASCII

PHP-Nuke mail CRLF Injection vulnerabilities


PROGRAM: PHP-Nuke
VENDOR: Fransisco Burzi et al.
HOMEPAGE: http://phpnuke.org/
VULNERABLE VERSIONS: 6.0 (the only supported version)
IMMUNE VERSIONS: 6.0 with my patch applied
LOGIN REQUIRED: no


DESCRIPTION:

"PHP-Nuke is a Web portal and online community system which
includes Web-based administration, surveys, access statistics,
user customizable boxes, a themes manager for registered users,
friendly administration GUI with graphic topic manager, the
ability to edit or delete stories, an option to delete comments,
a moderation system, referer tracking, integrated banner ad system,
search engine, backend/headlines generation (RSS/RDF format), Web
directory like Yahoo, events manager, and support for 20+ languages."

(direct quote from the program's project page at Freshmeat)

PHP-Nuke is published under the terms of the GNU General Public
License. It is a very popular program with lots and lots of
installations. It is included as one of the packages in Debian
GNU/Linux and one of FreeBSD's ports.

Despite all this, the program has a bad reputation regarding
security matters.


SUMMARY:

PHP-Nuke has got four functions that allow restricted sending of
e-mails: Feedback, Recommend Us, Send (news item) to a Friend and
Send this Journal to a Friend. They either restrict who you can send
e-mails to or what message you can send to them. They are open for
anonymous users as well as regular users.

By submitting special data, an attacker can escape these restrictions
and use someone else's PHP-Nuke installation to send HTML e-mails
to any recipient with any message that they like.


TECHNICAL DETAILS:

The fourth parameter to PHP's mail() function contains the additional
mail headers that PHP doesn't have a special parameter for. In this
case, it's used to add From and Reply-To headers. When PHP-Nuke
constructs the value for this parameter, it doesn't check the form
data it's using for CR and LF characters. As a result, an attacker
can supply extra mail headers and even an extra mail body, and they
will be included in the mail between the real headers and the real
body. This is done by simply including CR and LF characters in the
form data field that contains your e-mail address. If the attacker
includes an HTML message ending with a "<!--" tag or a
"<font color='something'>" tag that sets the foreground colour to
the background colour, the real mail body will not be shown in
many programs.


COMMUNICATION WITH VENDOR:

I didn't contact the vendor, as Fransisco has a very bad track
record when it comes to replying to security reports.


MY "SECURITY HARDENING PACKAGE":

Instead I wrote an unofficial patch for this issue. I have patched
against version 6.0.

The patch simply replaces all CR and LF characters in the vulnerable
variables with spaces, and then the exploit doesn't work anymore.


// Ulf Harnhammar
   VSU Security
   ulfh@update.uu.se


"I saw the worst minds of my generation / getting their political
 information from tabloids / listening to Savage Garden's greatest
 hits / getting married and having kids at 25 just 'cause the
 neighbours did / and building the worst administrative web-based
 members interface ever known to man" (To B.)


---293465837-1101336171-1040380341=:28284
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="php-nuke_mail_crlf.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0212201132210.28284@Tempo.Update.UU.SE>
Content-Description: 
Content-Disposition: attachment; filename="php-nuke_mail_crlf.patch"

LS0tIGh0bWwvbWFpbmZpbGUucGhwLm9sZAlUaHUgRGVjIDE5IDE5OjE3OjEw
IDIwMDINCisrKyBodG1sL21haW5maWxlLnBocAlUaHUgRGVjIDE5IDE5OjI0
OjAwIDIwMDINCkBAIC04NzAsNCArODcwLDEzIEBADQogICAgIHJldHVybigk
VGhlbWVTZWwpOw0KIH0NCiANCi0/Pg0KXCBObyBuZXdsaW5lIGF0IGVuZCBv
ZiBmaWxlDQorIw0KKyMgU2VjdXJpdHkgZml4DQorIyBVbGYgSGFybmhhbW1h
ciwgVlNVIFNlY3VyaXR5IDIwMDINCisjDQorDQorZnVuY3Rpb24gcmVtb3Zl
Y3JsZigkc3RyKSB7DQorICAgIHJldHVybiBzdHJ0cigkc3RyLCAiXDAxNVww
MTIiLCAnICAnKTsNCit9DQorDQorPz4NCi0tLSBodG1sL21vZHVsZXMvRmVl
ZGJhY2svaW5kZXgucGhwLm9sZAlUaHUgRGVjIDE5IDE5OjI2OjQ0IDIwMDIN
CisrKyBodG1sL21vZHVsZXMvRmVlZGJhY2svaW5kZXgucGhwCVRodSBEZWMg
MTkgMTk6Mjg6MzQgMjAwMg0KQEAgLTY5LDYgKzY5LDggQEANCiAJJHNlbmQg
PSAibm8iOw0KICAgICB9IA0KICAgICBpZiAoJHNlbmQgIT0gIm5vIikgew0K
Kwkkc2VuZGVyX25hbWUgPSByZW1vdmVjcmxmKCRzZW5kZXJfbmFtZSk7ICMg
U2VjdXJpdHkgZml4DQorCSRzZW5kZXJfZW1haWwgPSByZW1vdmVjcmxmKCRz
ZW5kZXJfZW1haWwpOw0KIAkkbXNnID0gIiRzaXRlbmFtZVxuXG4iOw0KIAkk
bXNnIC49ICIiLl9TRU5ERVJOQU1FLiI6ICRzZW5kZXJfbmFtZVxuIjsNCiAJ
JG1zZyAuPSAiIi5fU0VOREVSRU1BSUwuIjogJHNlbmRlcl9lbWFpbFxuIjsN
CkBAIC05Myw0ICs5NSw0IEBADQogQ2xvc2VUYWJsZSgpOyAgIA0KIGluY2x1
ZGUoImZvb3Rlci5waHAiKTsNCiANCi0/Pg0KXCBObyBuZXdsaW5lIGF0IGVu
ZCBvZiBmaWxlDQorPz4NCi0tLSBodG1sL21vZHVsZXMvSm91cm5hbC9mcmll
bmQucGhwLm9sZAlUaHUgRGVjIDE5IDIxOjIzOjI3IDIwMDINCisrKyBodG1s
L21vZHVsZXMvSm91cm5hbC9mcmllbmQucGhwCVRodSBEZWMgMTkgMjE6MjU6
MjIgMjAwMg0KQEAgLTM4LDYgKzM4LDExIEBADQogbGlzdCAoJGp0aXRsZSkg
PSBzcWxfZmV0Y2hfcm93KCRyZXN1bHQsICRkYmkpOw0KIA0KIGlmICgkc2Vu
ZCA9PSAxKSB7DQorICAgICRmbmFtZSA9IHJlbW92ZWNybGYoJGZuYW1lKTsg
IyBTZWN1cml0eSBmaXgNCisgICAgJGZtYWlsID0gcmVtb3ZlY3JsZigkZm1h
aWwpOw0KKyAgICAkeW5hbWUgPSByZW1vdmVjcmxmKCR5bmFtZSk7DQorICAg
ICR5bWFpbCA9IHJlbW92ZWNybGYoJHltYWlsKTsNCisNCiAgICAgJHN1Ympl
Y3QgPSAiIi5fSU5URVJFU1RJTkcuIiAkc2l0ZW5hbWUiOw0KICAgICAkbWVz
c2FnZSA9ICIiLl9IRUxMTy4iICRmbmFtZTpcblxuIi5fWU9VUkZSSUVORC4i
ICR5bmFtZSAiLl9DT05TSURFUkVELiJcblxuXG4kanRpdGxlXG4iLl9VUkwu
IjogJG51a2V1cmwvbW9kdWxlcy5waHA/bmFtZT0kbW9kdWxlX25hbWUmZmls
ZT1kaXNwbGF5JmppZD0kamlkXG5cblxuIi5fQVJFTU9SRS4iXG5cbi0tLVxu
JHNpdGVuYW1lXG4kbnVrZXVybCI7DQogICAgIG1haWwoJGZtYWlsLCAkc3Vi
amVjdCwgJG1lc3NhZ2UsICJGcm9tOiBcIiR5bmFtZVwiIDwkeW1haWw+XG5Y
LU1haWxlcjogUEhQLyIgLiBwaHB2ZXJzaW9uKCkpOw0KQEAgLTgyLDQgKzg3
LDQgQEANCiANCiBqb3VybmFsZm9vdCgpOw0KIA0KLT8+DQpcIE5vIG5ld2xp
bmUgYXQgZW5kIG9mIGZpbGUNCis/Pg0KLS0tIGh0bWwvbW9kdWxlcy9OZXdz
L2ZyaWVuZC5waHAub2xkCVRodSBEZWMgMTkgMjA6MDU6NTMgMjAwMg0KKysr
IGh0bWwvbW9kdWxlcy9OZXdzL2ZyaWVuZC5waHAJVGh1IERlYyAxOSAyMDox
NjoyNCAyMDAyDQpAQCAtNTAsNiArNTAsMTEgQEANCiBmdW5jdGlvbiBTZW5k
U3RvcnkoJHNpZCwgJHluYW1lLCAkeW1haWwsICRmbmFtZSwgJGZtYWlsKSB7
DQogICAgIGdsb2JhbCAkc2l0ZW5hbWUsICRudWtldXJsLCAkcHJlZml4LCAk
ZGJpLCAkbW9kdWxlX25hbWU7DQogDQorICAgICRmbmFtZSA9IHJlbW92ZWNy
bGYoJGZuYW1lKTsgIyBTZWN1cml0eSBmaXgNCisgICAgJGZtYWlsID0gcmVt
b3ZlY3JsZigkZm1haWwpOw0KKyAgICAkeW5hbWUgPSByZW1vdmVjcmxmKCR5
bmFtZSk7DQorICAgICR5bWFpbCA9IHJlbW92ZWNybGYoJHltYWlsKTsNCisN
CiAgICAgJHJlc3VsdDI9c3FsX3F1ZXJ5KCJzZWxlY3QgdGl0bGUsIHRpbWUs
IHRvcGljIGZyb20gIi4kcHJlZml4LiJfc3RvcmllcyB3aGVyZSBzaWQ9JHNp
ZCIsICRkYmkpOw0KICAgICBsaXN0KCR0aXRsZSwgJHRpbWUsICR0b3BpYykg
PSBzcWxfZmV0Y2hfcm93KCRyZXN1bHQyLCAkZGJpKTsNCiANCkBAIC05MCw0
ICs5NSw0IEBADQogDQogfQ0KIA0KLT8+DQpcIE5vIG5ld2xpbmUgYXQgZW5k
IG9mIGZpbGUNCis/Pg0KLS0tIGh0bWwvbW9kdWxlcy9SZWNvbW1lbmRfVXMv
aW5kZXgucGhwLm9sZAlUaHUgRGVjIDE5IDIwOjAwOjQ1IDIwMDINCisrKyBo
dG1sL21vZHVsZXMvUmVjb21tZW5kX1VzL2luZGV4LnBocAlUaHUgRGVjIDE5
IDIwOjAyOjQ1IDIwMDINCkBAIC00NSw2ICs0NSw5IEBADQogDQogZnVuY3Rp
b24gU2VuZFNpdGUoJHluYW1lLCAkeW1haWwsICRmbmFtZSwgJGZtYWlsKSB7
DQogICAgIGdsb2JhbCAkc2l0ZW5hbWUsICRzbG9nYW4sICRudWtldXJsLCAk
bW9kdWxlX25hbWU7DQorICAgICRmbWFpbCA9IHJlbW92ZWNybGYoJGZtYWls
KTsgIyBTZWN1cml0eSBmaXgNCisgICAgJHluYW1lID0gcmVtb3ZlY3JsZigk
eW5hbWUpOw0KKyAgICAkeW1haWwgPSByZW1vdmVjcmxmKCR5bWFpbCk7DQog
ICAgICRzdWJqZWN0ID0gIiIuX0lOVFNJVEUuIiAkc2l0ZW5hbWUiOw0KICAg
ICAkbWVzc2FnZSA9ICIiLl9IRUxMTy4iICRmbmFtZTpcblxuIi5fWU9VUkZS
SUVORC4iICR5bmFtZSAiLl9PVVJTSVRFLiIgJHNpdGVuYW1lICIuX0lOVFNF
TlQuIlxuXG5cbiIuX0ZTSVRFTkFNRS4iICRzaXRlbmFtZVxuJHNsb2dhblxu
Ii5fRlNJVEVVUkwuIiAkbnVrZXVybFxuIjsNCiAgICAgbWFpbCgkZm1haWws
ICRzdWJqZWN0LCAkbWVzc2FnZSwgIkZyb206IFwiJHluYW1lXCIgPCR5bWFp
bD5cblgtTWFpbGVyOiBQSFAvIiAuIHBocHZlcnNpb24oKSk7DQpAQCAtNzYs
NCArNzksNCBAQA0KIA0KIH0NCiANCi0/Pg0KXCBObyBuZXdsaW5lIGF0IGVu
ZCBvZiBmaWxlDQorPz4NCg==
---293465837-1101336171-1040380341=:28284--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[28283] in bugtraq

PHP-Nuke mail CRLF Injection vulnerabilities

daemon@ATHENA.MIT.EDU (Ulf Harnhammar)Fri Dec 20 21:32:30 2002

daemon@ATHENA.MIT.EDU (Ulf Harnhammar)
Fri Dec 20 21:32:30 2002
