waraxe-2005-SA040.txt

`  
  
{================================================================================}  
{ [waraxe-2005-SA#040]   
}  
{================================================================================}  
{   
}  
{ [ Full path disclosure and XSS in  
PhpNuke 6.x-7.6 ] }  
{   
}  
{================================================================================}  
  
  
  
Author: Janek Vind "waraxe"  
Date: 14. February 2005  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-40.html  
  
  
Target software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Php-Nuke is a popular opensource content management  
system, written in php by  
Francisco Burzi. This CMS is used on many thousands  
websites, because it's   
freeware, easy to install and manage and has broad set  
of features.  
  
Homepage: http://phpnuke.org  
  
  
Vulnerabilities:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
A - Full Path Disclosure  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
A1 - full path disclosure in "db/db.php":  
  
http://localhost/nuke75/db/db.php  
  
Fatal error: Cannot instantiate non-existent class:  
sql_db in D:\apache_wwwroot\nuke75\db\db.php  
on line 86  
  
  
A2 - full path disclosure in "mainfile.php":  
  
http://localhost/nuke75/index.php?inside_mod=1  
  
Warning: main(../../config.php): failed to open  
stream:  
No such file or directory in  
D:\apache_wwwroot\nuke75\mainfile.php  
on line 103  
  
Fatal error: main(): Failed opening required  
'../../config.php'   
(include_path='.;c:\php4\pear') in  
D:\apache_wwwroot\nuke75\mainfile.php  
on line 10  
  
  
A3 - full path disclosure in  
"modules/Downloads/index.php":  
  
http://localhost/nuke75/modules.php?name=Downloads&d_op=menu  
  
error: Call to undefined function: opentable() in  
D:\apache_wwwroot\nuke75\modules\Downloads\index.php  
on line 75  
  
  
  
A4 - full path disclosure in  
"modules/Web_Links/index.php":  
  
http://localhost/nuke75/modules.php?name=Web_Links&l_op=menu  
  
Fatal error: Call to undefined function: opentable()  
in  
D:\apache_wwwroot\nuke75\modules\Web_Links\index.php  
on line 65  
  
  
  
B - Cross-Site Scripting aka XSS  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
B1 - xss in "/modules/Downloads/index.php":  
  
http://localhost/nuke75/modules.php?name=Downloads&d_op=NewDownloads  
&newdownloadshowdays=[xss code here]  
  
  
B2 - xss in "/modules/Web_Links/index.php":  
  
http://localhost/nuke75/modules.php?name=Web_Links&l_op=NewLinks  
&newlinkshowdays=[xss code here]  
  
  
  
How to fix:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
How to fix those bugs -  
http://www.waraxe.us/forums.html  
  
  
Additional resources:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Base64 encoder and decoder -  
http://base64-encoder-online.waraxe.us/  
  
SiteMapper - free php script for phpNuke powered  
websites -  
new version 0.2 available for download -  
http://sitemapper.waraxe.us/  
  
  
Greetings:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Greets to icenix, Raido Kerna, g0df4th3r and  
slimjim100!  
Tervitused - Heintz!  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[email protected]  
Janek Vind "waraxe"  
  
Homepage: http://www.waraxe.us/  
  
---------------------------------- [ EOF ]  
------------------------------------  
  
  
  
  
__________________________________   
Do you Yahoo!?   
Yahoo! Mail - Easier than ever with enhanced search. Learn more.  
http://info.mail.yahoo.com/mail_250  
`