3 phpnuke bugs (2 possibly lead to admin privs)

2001-08-13T00:00:00
ID SECURITYVULNS:DOC:1920
Type securityvulns
Reporter Securityvulns
Modified 2001-08-13T00:00:00

Description

phpnuke (www.phpnuke.org) is an opensource webpage portal powers many websites on the net. Version 5.x of phpnuke does not properly check some variables, and is vulnerable to an attack that gives an intruder admin privileges.

This is only possible if the intruder knows the database name that phpnuke is using, and the webserver must be able to connect to it without a password. Although It is very unlikely that these two circumstances will occur, but this is a bug still worth mentioning.

The versions 5.x of phpnuke include a new feature involving a variable named $prefix:

< Quote from phpnuke release > "All database tables now has the nuke_ prefix to avoid conflicts with other scripts" - New $prefix variable in config.php to setup multiple Nuke sites sharing one database" </ End Quote >

The $prefix variable is defined in the config.php file and is set to 'nuke' by default. Along with a defualt database of 'nuke'.

< Sample default config.php file > $dbhost = "localhost"; $dbuname = "root"; $dbpass = ""; $dbname = "nuke"; $system = 0; $prefix = nuke; </ End Sample >

An attacker can take advantage of this new feature by supplying a certian value for the $prefix variable and creating their own arbitrary sql query. In the article.php file this is most easily accomplished by bypassing the inclusion of the mainfile.php and supplying a value for $sid and $tid.

(bypassing mainfile.php inclusion is important becuase mainfile.php itself includes config.php which has the variable definition for $prefix, and if $prefix is not defined then an attacker can supply her own value)

< sample code from article.php > if(!isset($mainfile)) { include("mainfile.php"); } if(!isset($sid) && !isset($tid)) { exit(); } </ end sample code>

The flow of the program will then eventually enter the following sql query:

< example query from article.php > mysql_query("UPDATE $prefix"._stories." SET counter=counter+1 where sid=$sid"); < / end example query >

So the following command will set all admin passwords to '1'. Given that 'nuke' is the name of the phpnuke database.

article.php? mainfile=1&sid=1&tid=1&prefix=nuke.authors% 20set%20pwd=1%23

Dos possibility

In addition, I noticed that in file 'modules.php' there exists a possible Denial of service situation where an attacker could cause the file to recusively include itself (or any php file on the system, because phpnuke does not check for '../') by using the following url:

http://site_name_with_phpnuke/modules.php? op=modload&name=../&file=modules

Resources were consumed quickly in the tests that were performed.

Another way to get admin

The fact that any .php file on the system can be included, means that if another user has an account on the same machine that phpnuke is running on, he can cause phpnuke to include his .php file ( if he chmod it to readable by everyone ) and his own arbitrary code will run with permissions of the phpnuke user. This would lead to easy administrative access of the portal , and access to any of the phpnuke user's files.

by kill-9@modernhacker.com http://www.modernhacker.com