Bugtraq mailing list archives
Multiples Full Path Disclosure in php-nuke 7.6 (and below)
From: Luis Fernando <spiderkid () gmail com>
Date: Fri, 29 Apr 2005 10:15:44 -0300
Multiples Full Path Disclosure in php-nuke 7.6 (and below) --------------------------------------------------------------------------- Author: project-restart Date: 27. April 2005 Location: Brazil Web: http://www.project-restart.org/ Target: PHP-nuke 7.6 (and below) --------------------------------------------------------------------------- Target software description: Php-Nuke is a popular opensource content management system, written in php by Francisco Burzi. This CMS is used on many thousands websites, because it's freeware(7.7 no ¬¬), easy to install and manage and has broad set of features. Homepage: http://phpnuke.org --------------------------------------------------------------------------- Vulnerabilities founds by luis <luis () project-restart org> ########################### Vuln1 File: includes/ipban.php (http://localhost/nuke76/includes/ipban.php) -----------/includes/ipban.php-------------- 15: global $prefix, $db; 16: $ip = $_SERVER["REMOTE_ADDR"]; 17: $numrow = $db->sql_numrows($db->sql_query("SELECT id FROM ".$prefix."_banned_ip WHERE ip_address='$ip'")); 18: if ($numrow != 0) { 19: echo "<br><br><center><img src='images\admin\ipban.gif'><br><br><b>You has been banned by the administrator</b></center>"; 20: die(); 21: } -------------------------------------------- Result: Fatal error: Call to a member function on a non-object in /home/localhost/public_html/nuke76/includes/ipban.php on line 17 ########################### Vuln2 File: db/db.php (http://localhost/nuke76/db/db.php) --------/db/db.php------------ 49:switch($dbtype) { 50: case 'MySQL': 51: include("".$the_include."/mysql.php");# 52: break; (...) 85: $db = new sql_db($dbhost, $dbuname, $dbpass, $dbname, false); 86: if(!$db->db_connect_id) {# 87: die("<br><br><center><img src=images/logo.gif><br><br><b>There seems to be a problem with the MySQL server, sorry for the inconvenience.<br><br>We should be back shortly.</center></b>"); 88: } ----------------------------- Result: Fatal error: Cannot instantiate non-existent class: sql_db in /home/localhost/public_html/nuke76/db/db.php on line 86 ########################### Vuln3 File: /modules/Reviews/language/lang-norwegian.php (http://localhost/nuke76/modules.php?name=Reviews&newlang=norwegian) --------/modules/Reviews/language/lang-norwegian.php-------------- 52: define("_INVALIDTEXT","Feil i anmeldelsestekst... Feltet kan ikke være tomt\"); 53: define("_INVALIDHITS","Treff mÃ¥ være en positiv integer"); ----------------------------------------------------------------- Result: Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Reviews/language/lang-norwegian.php on line 53 ########################## Vuln4 File: /modules/Downloads/language/lang-greek.php (http://localhost/nuke76/modules.php?name=Downloads&newlang=greek) -------/modules/Downloads/language/lang-greek.php----------- 176: A-# define("_FILESIZE","ÃŒÃãåèïò áñ÷åßïõ"); 177: A-# define("_VERSION","¸êäïóç"); 178: K-# define("_UDOWNLOADS","ÃÃáêôÞóåÃ(c)ò"); 179: A-# define("_HOMEPAGE","ÊåÃôñÃ(c)êÞ Ã"åëßäá "); ------------------------------------------------------------ This is a commentary?! Result: Parse error: parse error, unexpected ';' in /home/localhost/public_html/nuke76/modules/Downloads/language/lang-greek.php on line 181 ######################### Vuln 5 File: /modules/Downloads/language/lang-indonesian.php (http://localhost/nuke76/modules.php?name=Downloads&newlang=indonesian) ------/modules/Downloads/language/lang-indonesian.php---- 59: define("_DOWNLOADSNOTUSER8","<a href=\"modules.php?name=Your_Account&">Daftar di sini</a>"); 60: define("_DOWNLOADALREADYEXT","ERROR: Alamat URL sudah ada dalam database!"); --------------------------------------------------------- Resultando em: Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Downloads/language/lang-indonesian.php on line 59 --------------------------------------------------------------------------- (more) Vulnerabilities founds by guilherme <guilherme () project-restart org> ########################### Vuln6 File: /modules/Web_Links/language/lang-portuguese.php If called the module Web_Links with portuguese language, it returns the way from the archive in the server. (http://localhost/nuke76/modules.php?name=Web_Links&newlang=portuguese) Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Web_Links/language/lang-portuguese.php on line 171 ---------/modules/Web_Links/language/lang-portuguese.php---------------- 169: define("_REMOTEFORM","Forma de Avaliação a Distância"); 170: define("_PROMOTE04","Se você nos enganar, nós removeremos seu link. Temos dito isto, aqui como uma forma de avaliação remota e 171: define("_VOTE4THISSITE","Vote neste Site!"); 172: define("_LINKVOTE","Vote!"); ---------------------------- ########################### Vuln7 File: /modules/Web_Links/language/lang-indonesian.php If called the module Web_Links with indonesian language, it returns the way from the archive in the server. (http://localhost/nuke76/modules.php?name=Web_Links&newlang=indonesian) Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Web_Links/language/lang-indonesian.php on line 170 ---------/modules/Web_Links/language/lang-indonesian.php---------------- 169: define("_LOOKTOREQUEST","Kami akan memeriksa laporan anda."); 170: define("_ONLYREGUSERSMODIFY","Hanya member yang bisa meminta modifikasi link. Silakan daftar atau login <a href=\"/modules.php?name=Your_Account&">di sini</a>."); 171: define("_REQUESTLINKMOD","Permohonan Modifikasi Link Situs"); ------------------------ ########################### Vuln8 File: /modules/Surveys/language/lang-indonesian.php If called the module Surveys with indonesian language, it returns the way from the archive in the server. (http://localhost/nuke76/modules.php?name=Surveys&newlang=indonesian) Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Surveys/language/lang-indonesian.php on line 40 ---------/modules/Surveys/language/lang-indonesian.php---------------- 39: define("_NOSUBJECT","Tanpa Subjek"); 40: define("_NOANONCOMMENTS","Anda tidak dibolehkan mengirim komentar, silakan daftar <a href=\"modules.php?name=Your_Account&">di sini</a>"); 41: define("_PARENT","Setingkat ke atas"); ------------------------------ ########################### Vuln9 File: /modules/Reviews/language/lang-portuguese.php If called the module Reviews with portuguese language, it returns the way from the archive in the server. (http://localhost/nuke76/modules.php?name=Reviews&newlang=portuguese) Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Reviews/language/lang-portuguese.php on line 89 ---------/modules/Reviews/language/lang-portuguese.php---------------- 88: define("_YOURNICK","O seu nome:"); 89: define("_RCREATEACCOUNT","<a href="modules.php?name=Your_Account&op=new_user\"><b>Crie</b></a> uma conta"); 87: define("_YOURCOMMENT","O seu comentário:"); ----------- ########################### Vuln10 File: /modules/Journal/language/lang-portuguese.php If called the module Journal with portuguese language, it returns the way from the archive in the server. (http://localhost/nuke76/modules.php?name=Journal&newlang=portuguese) Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Journal/language/lang-portuguese.php on line 31 ---------/modules/Journal/language/lang-portuguese.php---------------- 29: define("_ADDJOURNAL","Adicionar uma entrada no diário"); 30: define("_ADDENTRY","Adicionar uma nova entrada); 31: define("_YOURLAST20","As suas 20 entradas"); ----------------------- --------------------------------------------------------------------------- How to fix: http://www.project-restart.org --------------------------------------------------------------------------- TimeLine: 25/04/2005 - php-nuke install into our server (downloaded default 7.6 from phpnuke.org) 26/04/2005 - Luis found the firsts vulns and begin find more 27/04/2005 - Guilherme found many vulns into language files 28/04/2005 - Luis see all language files and found more vulns 29/04/2005 - report sent and vendor contacted Contact: --------------------------------------------------------------------------- Luis (22) - luis () project-restart org Guilherme (GBR) - guilherme () project-restart org Rodrigo (digão) - rodrigo () project-restart org Homepage: http://www.project-restart.org/ That God mercy our soul! (Ps. Sorry our bad english, we are Brazilians boys, =D)
Current thread:
- Multiples Full Path Disclosure in php-nuke 7.6 (and below) Luis Fernando (Apr 29)