[Full-Disclosure] [waraxe-2005-SA#040] - Full path disclosure and XSS in PhpNuke 6.x-7.6

2005-02-15T00:00:00
ID SECURITYVULNS:DOC:7827
Type securityvulns
Reporter Securityvulns
Modified 2005-02-15T00:00:00

Description

{================================================================================} { [waraxe-2005-SA#040]
} {================================================================================} {
} { [ Full path disclosure and XSS in PhpNuke 6.x-7.6 ] } {
} {================================================================================}

Author: Janek Vind "waraxe" Date: 14. February 2005 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-40.html

Target software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is a popular opensource content management system, written in php by Francisco Burzi. This CMS is used on many thousands websites, because it's freeware, easy to install and manage and has broad set of features.

Homepage: http://phpnuke.org

Vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A - Full Path Disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A1 - full path disclosure in "db/db.php":

http://localhost/nuke75/db/db.php

Fatal error: Cannot instantiate non-existent class: sql_db in D:\apache_wwwroot\nuke75\db\db.php on line 86

A2 - full path disclosure in "mainfile.php":

http://localhost/nuke75/index.php?inside_mod=1

Warning: main(../../config.php): failed to open stream: No such file or directory in D:\apache_wwwroot\nuke75\mainfile.php on line 103

Fatal error: main(): Failed opening required '../../config.php' (include_path='.;c:\php4\pear') in D:\apache_wwwroot\nuke75\mainfile.php on line 10

A3 - full path disclosure in "modules/Downloads/index.php":

http://localhost/nuke75/modules.php?name=Downloads&d_op=menu

error: Call to undefined function: opentable() in D:\apache_wwwroot\nuke75\modules\Downloads\index.php on line 75

A4 - full path disclosure in "modules/Web_Links/index.php":

http://localhost/nuke75/modules.php?name=Web_Links&l_op=menu

Fatal error: Call to undefined function: opentable() in D:\apache_wwwroot\nuke75\modules\Web_Links\index.php on line 65

B - Cross-Site Scripting aka XSS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

B1 - xss in "/modules/Downloads/index.php":

http://localhost/nuke75/modules.php?name=Downloads&d_op=NewDownloads &newdownloadshowdays=[xss code here]

B2 - xss in "/modules/Web_Links/index.php":

http://localhost/nuke75/modules.php?name=Web_Links&l_op=NewLinks &newlinkshowdays=[xss code here]

How to fix: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

How to fix those bugs - http://www.waraxe.us/forums.html

Additional resources: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Base64 encoder and decoder - http://base64-encoder-online.waraxe.us/

SiteMapper - free php script for phpNuke powered websites - new version 0.2 available for download - http://sitemapper.waraxe.us/

Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to icenix, Raido Kerna, g0df4th3r and slimjim100! Tervitused - Heintz!

Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ]


Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more. http://info.mail.yahoo.com/mail_250


Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html