phpnuke80-cookie.txt

2007-03-14T00:00:00
ID PACKETSTORM:55038
Type packetstorm
Reporter Aleksandar aka sale83
Modified 2007-03-14T00:00:00

Description

                                        
                                            `/////////////////////////////////////////////////////////////////////////////////////////////////////  
PHPNuke <= 8.0 Cookie Manipulation (lang)  
  
PROGRAM: PHP-Nuke  
HOMEPAGE: http://phpnuke.org/  
VERSION: All version  
BUG: Cookie Manipulation (lang) (SQL Injection + Local file include)  
AUTHOR: Aleksandar aka sale83  
  
///////////////////////////////////////////////////////////////////////////////////////////////////////  
PHP.ini  
Magic Quotes = OFF   
//////////////////////////////////////////////////////////////////////////////////////////////////////  
PHP-Nuke - >Preferences - > Multilingual Options-> On (Activate Multilingual features? = YES)  
/////////////////////////////////////////////////////////////////////////////////////////////////////  
  
Bug is found in mainfile.php line 327.  
  
// Line 327 Bug is here   
} elseif (isset($lang)) {  
include_once("language/lang-".$lang.".php"); // This can be exploited by malicious users: ex: /../../robots.txt%00 Multilingual Options=OFF  
$currentlang = $lang; // This can be exploited by malicious users. ex:SQL Injection in Top and News Module ($currentlang) Multilingual Options = On  
} else {  
  
/////////////////////////////////////////////////////////////////////////////////////////////////  
  
This flaw is due to an error when handling the "lang" cookie parameter, which could be exploited by malicious users because $lang is not filtered.   
  
  
Tested On:  
Windows XP  
Linux SlackWare 10.2  
PHP Version 5.1.4  
PHPNuke 8.0 ,7.9,7.6  
Magic Quotes = OFF  
Firefox 2 + Add N Edit Cookies Add-ons  
  
  
/////////////////////////////////////////////////////////////////////////////////////////////////  
Patch:  
  
} elseif (isset($lang)) {  
if (eregi('[A-Za-z]', $lang)) {  
if (file_exists("language/lang-".$lang.".php")) {  
include_once("language/lang-".$lang.".php");  
$currentlang = $lang;  
}else {  
include_once("language/lang-english.php");  
$currentlang = "english";  
}   
}else {  
include_once("language/lang-english.php");  
$currentlang = "english";  
}  
} else {  
  
/////////////////////////////////////////////////////////////////////////////////////////////////  
Best Regards  
Aleksandar  
Programmer and Web Developer  
///////////////////////////////////////////////////////////////////////////////////////////////  
`