Multiples Full Path Disclosure in php-nuke 7.6 (and below)

2005-04-30T00:00:00
ID SECURITYVULNS:DOC:8503
Type securityvulns
Reporter Securityvulns
Modified 2005-04-30T00:00:00

Description

Multiples Full Path Disclosure in php-nuke 7.6 (and below)

Author: project-restart Date: 27. April 2005 Location: Brazil Web: http://www.project-restart.org/ Target: PHP-nuke 7.6 (and below)


Target software description: Php-Nuke is a popular opensource content management system, written in php by Francisco Burzi. This CMS is used on many thousands websites, because it's freeware(7.7 no ¬¬), easy to install and manage and has broad set of features.

Homepage: http://phpnuke.org

Vulnerabilities founds by luis <luis@project-restart.org>

##################### Vuln1

File: includes/ipban.php (http://localhost/nuke76/includes/ipban.php)

-----------/includes/ipban.php-------------- 15: global $prefix, $db; 16: $ip = $_SERVER["REMOTE_ADDR"]; 17: $numrow = $db->sql_numrows($db->sql_query("SELECT id FROM ".$prefix."_banned_ip WHERE ip_address='$ip'")); 18: if ($numrow != 0) { 19: echo "<br><br><center><img src='images\admin\ipban.gif'><br><br><b>You has been banned by the administrator</b></center>"; 20: die(); 21: } --------------------------------------------

Result: Fatal error: Call to a member function on a non-object in /home/localhost/public_html/nuke76/includes/ipban.php on line 17

##################### Vuln2

File: db/db.php (http://localhost/nuke76/db/db.php)

--------/db/db.php------------ 49:switch($dbtype) { 50: case 'MySQL': 51: include("".$the_include."/mysql.php");# 52: break; (...) 85: $db = new sql_db($dbhost, $dbuname, $dbpass, $dbname, false); 86: if(!$db->db_connect_id) {# 87: die("<br><br><center><img src=images/logo.gif><br><br><b>There seems to be a problem with the MySQL server, sorry for the inconvenience.<br><br>We should be back shortly.</center></b>"); 88: } -----------------------------

Result: Fatal error: Cannot instantiate non-existent class: sql_db in /home/localhost/public_html/nuke76/db/db.php on line 86

##################### Vuln3

File: /modules/Reviews/language/lang-norwegian.php (http://localhost/nuke76/modules.php?name=Reviews&newlang=norwegian)

--------/modules/Reviews/language/lang-norwegian.php-------------- 52: define("_INVALIDTEXT","Feil i anmeldelsestekst... Feltet kan ikke vA¦re tomt\"); 53: define("_INVALIDHITS","Treff mA? vA¦re en positiv integer"); -----------------------------------------------------------------

Result: Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Reviews/language/lang-norwegian.php on line 53

#################### Vuln4

File: /modules/Downloads/language/lang-greek.php (http://localhost/nuke76/modules.php?name=Downloads&newlang=greek)

-------/modules/Downloads/language/lang-greek.php----------- 176: A-# define("_FILESIZE","A?AќA?A?A?A?A? A?A±A·A?AYA?Aµ"); 177: A-# define("_VERSION","A?A?A¤A?A?A§"); 178: K-# define("_UDOWNLOADS","AЃA­A?A?A?AzA?A?A(c)A?"); 179: A-# define("_HOMEPAGE","ASA?A­A?A±A(c)A?Az A"A?A«AYA¤A? "); ------------------------------------------------------------

This is a commentary?! Result: Parse error: parse error, unexpected ';' in /home/localhost/public_html/nuke76/modules/Downloads/language/lang-greek.php on line 181

################### Vuln 5

File: /modules/Downloads/language/lang-indonesian.php (http://localhost/nuke76/modules.php?name=Downloads&newlang=indonesian)

------/modules/Downloads/language/lang-indonesian.php---- 59: define("_DOWNLOADSNOTUSER8","<a href=\"modules.php?name=Your_Account&">Daftar di sini</a>"); 60: define("_DOWNLOADALREADYEXT","ERROR: Alamat URL sudah ada dalam database!"); ---------------------------------------------------------

Resultando em: Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Downloads/language/lang-indonesian.php on line 59


(more)

Vulnerabilities founds by guilherme <guilherme@project-restart.org>

##################### Vuln6

File: /modules/Web_Links/language/lang-portuguese.php

If called the module Web_Links with portuguese language, it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Web_Links&newlang=portuguese)

Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Web_Links/language/lang-portuguese.php on line 171

---------/modules/Web_Links/language/lang-portuguese.php----------------

169: define("_REMOTEFORM","Forma de Avaliacao a Distancia"); 170: define("_PROMOTE04","Se voce nos enganar, nos removeremos seu link. Temos dito isto, aqui como uma forma de avaliacao remota e 171: define("_VOTE4THISSITE","Vote neste Site!"); 172: define("_LINKVOTE","Vote!");


##################### Vuln7

File: /modules/Web_Links/language/lang-indonesian.php

If called the module Web_Links with indonesian language, it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Web_Links&newlang=indonesian)

Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Web_Links/language/lang-indonesian.php on line 170

---------/modules/Web_Links/language/lang-indonesian.php----------------

169: define("_LOOKTOREQUEST","Kami akan memeriksa laporan anda."); 170: define("_ONLYREGUSERSMODIFY","Hanya member yang bisa meminta modifikasi link. Silakan daftar atau login <a href=\"/modules.php?name=Your_Account&">di sini</a>."); 171: define("_REQUESTLINKMOD","Permohonan Modifikasi Link Situs");


##################### Vuln8

File: /modules/Surveys/language/lang-indonesian.php

If called the module Surveys with indonesian language, it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Surveys&newlang=indonesian)

Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Surveys/language/lang-indonesian.php on line 40

---------/modules/Surveys/language/lang-indonesian.php---------------- 39: define("_NOSUBJECT","Tanpa Subjek"); 40: define("_NOANONCOMMENTS","Anda tidak dibolehkan mengirim komentar, silakan daftar <a href=\"modules.php?name=Your_Account&">di sini</a>"); 41: define("_PARENT","Setingkat ke atas"); ------------------------------

##################### Vuln9

File: /modules/Reviews/language/lang-portuguese.php

If called the module Reviews with portuguese language, it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Reviews&newlang=portuguese)

Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Reviews/language/lang-portuguese.php on line 89

---------/modules/Reviews/language/lang-portuguese.php---------------- 88: define("_YOURNICK","O seu nome:"); 89: define("_RCREATEACCOUNT","<a href="modules.php?name=Your_Account&op=new_user\"><b>Crie</b></a> uma conta"); 87: define("_YOURCOMMENT","O seu comentario:"); -----------

##################### Vuln10

File: /modules/Journal/language/lang-portuguese.php

If called the module Journal with portuguese language, it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Journal&newlang=portuguese)

Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Journal/language/lang-portuguese.php on line 31

---------/modules/Journal/language/lang-portuguese.php---------------- 29: define("_ADDJOURNAL","Adicionar uma entrada no diario"); 30: define("_ADDENTRY","Adicionar uma nova entrada); 31: define("_YOURLAST20","As suas 20 entradas"); -----------------------


How to fix: http://www.project-restart.org


TimeLine: 25/04/2005 - php-nuke install into our server (downloaded default 7.6 from phpnuke.org) 26/04/2005 - Luis found the firsts vulns and begin find more 27/04/2005 - Guilherme found many vulns into language files 28/04/2005 - Luis see all language files and found more vulns 29/04/2005 - report sent and vendor contacted

Contact:

Luis (22) - luis@project-restart.org Guilherme (GBR) - guilherme@project-restart.org Rodrigo (digao) - rodrigo@project-restart.org

Homepage: http://www.project-restart.org/

That God mercy our soul!

(Ps. Sorry our bad english, we are Brazilians boys, =D)