Re: PHP-Nuke Avatar Code injection vulnerability

["delusion" <delusi0n () bellsouth net>]

This is a follow up to my original email..

First of all i just want to add, that with this vulnerability, it is
possible to change other user's avatars to either text, or to different
images. all you need to find out is their UID and username.

And also i came up with this solution for the problem..

In modules/Your_Account in php nuke, open up index.php. Search for
"saveuser" you should get to a function that looks liek this..
(should be around line 740)

function saveuser($uid, $realname, $uname, $email, etc...

right underneath the function call, put this in..

$referer = getenv("HTTP_REFERER");
$nukeurl="http://digital-delusions.com";;
$nukeurl2="http://digital-delusions.dyn.ee";;
$nukeurl3="http://192.168.0.254";;
if (substr("$referer",0,strlen($nukeurl))==$nukeurl OR
substr("$referer",0,strlen($nukeurl2))==$nukeurl2 OR
substr("$referer",0,strlen($nukeurl3))==$nukeurl3) {

this code will check where the request is coming from, and if it is coming
from your site, then it will let the function continue.. Notice i have 3
$nukeurl variables, this is because those are the 3 different url's requests
can come form. So make sure u change my URLs to your site's urls.

Then, go down to the end of the function.. (ends with a "}")
should look somethign liek this..

[...]
            Header("Location: modules.php?name=$module_name");
            }
     }
}

before the last "}"
paste this..

} else {
echo "delusion ownz j00";
}

make sure u keep all the {}'s in their correct places, dont remove any. and
of course you can change the message to whatever you want ;)

Have fun,
-delusion
http://www.digital-delusions.com

----- Original Message -----
From: "delusion" <delusi0n () bellsouth net>
To: <bugtraq () securityfocus com>
Sent: Monday, February 03, 2003 5:54 AM
Subject: PHP-Nuke Avatar Code injection vulnerability


> -------------------------------------------
>
> Affected Versions:
> PHP Nuke versionh 6.0 and below
>
> Unaffected version:
> PHP Nuke 6.5
>
> Impact:
> -------------------------------------------
> Allows any user to inject their own HTML or Java code instead of an avatar
> image. This can lead to very annoying forum posts, and the usual XSS
tricks.
> Summary:
> -------------------------------------------
> When users sign up, they are asked to select an avatar from a list of
> available avatars in the website's /images/forum/avatars folder. When PHP
> Nuke inserts the image name of the selected avatar into the database, it
> does not perform any tag or code checks. So therefore if a user gets the
> site's <form> code and changes the avatar <select> box into a text box, he
> can enter HTML or java code which will be entered into the database and
> displayed wherever the avatar is shown. This can lead to very annoying
forum
> posts, and to the theft of users' cookies using XSS.
>
> Exploit:
> -------------------------------------------
> After you register on the vulnerable PHP Nuke site, login, then on the
"Your
> Account" page click "Your Info", view source, then search for "uid", you
> should find something like this..
>
> <input type="hidden" name="uid" value="2273">
>
> The number you see for value, is your user id. After you got your user id,
> Launch this html code.. (make sure u change http://NUKESITE to the url of
> the vulnerable site)
>
> <!-- START CODE --!>
> <form name="Register"
> action="http://NUKEDSITE/modules.php?name=Your_Account"; method="post">
>
> <b>Code ('">[code]<b ')</b><input type="text" name="user_avatar" size="30"
> maxlength="30"><br><br>
>
> <b>Username</b><input type="text" name="uname" size="30"
> maxlength="255"><br><b>User ID:<input type="text" name="uid"
> size="30"><input type="hidden" name="op" value="saveuser"><input
> type="submit" value="Save Changes"></form>
> <!-- END CODE --!>
>
> When you launch it, type in your code, which must start with `">`. it
doesnt
> matter how it ends, you can put a '<b ' at the end, so you dont get any
> broken code. Type in your username and user ID, then click submit, and u
> will be taken to the "Your Account" page on the vulnerable Nuked site. At
> this point you should be able to see the result of your code. Now anywhere
> that your avatar will be used, it will execute the code. ;)
>
> BTW the code you put in can only be 30 characters long due to the field's
> specified length in the database.
>
> heres a sample of what u can enter..
>
> "><h1>TESTING</h1><b
>
> That will cause "TESTING" to appear in big letters wherever your avatar is
> used.
>
> There is a space after "<b" so make sure to put that in, or u will get
ugly
> broken code. ;)
>
> Solution:
> -------------------------------------------
> None as of yet.. If someone can please post a good solution it would be
> appreciated.
>
> -------------------------------------------
>
> Another Vulnerability Brought to you by,
> delusion
> http://www.digital-delusions.com