| 
	|  |  |  |  
        
          | 
              
                | 
                    
                      | 
                          
                            | 
	| 
	
		|  |  |  
		|  | IT Security and Insecurity Portal |  |  
 
	|  | [waraxe-2004-SA#032] - Multiple security flaws in PhpNuke |  |  
	| 
	
		|  Posted: Fri Jun 11, 2004 10:32 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| This advisory can be found here: 
 http://www.waraxe.us/?modname=sa&id=032
 
 Now, lets move to fix the nuke. As seen from advisory, affected modules are "FAQ", "Reviews" and "Encyclopedia". Lets start with "FAQ".
 
 Open "/modules/FAQ/index.php" and find this (~ line 36):
 
 
  	  | Code: |  	  | function ShowFaq($id_cat, $categories) {
 global $bgcolor2, $sitename, $prefix, $db, $module_name;
 OpenTable();
 
 | 
 
 Now add sanitize code, so it will be:
 
 
  	  | Code: |  	  | function ShowFaq($id_cat, $categories) {
 global $bgcolor2, $sitename, $prefix, $db, $module_name;
 $categories = htmlentities($categories);
 OpenTable();
 
 | 
 
 Thats all for "FAQ" module. Next part is dedicated to "Encyclopedia" module.
 Open "/modules/Encyclopedia/index.php" and find this code (~line 86):
 
 
  	  | Code: |  	  | function terms($eid, $ltr) {
 global $module_name, $prefix, $sitename, $db, $admin;
 $sql = "SELECT active FROM ".$prefix."_encyclopedia WHERE eid='$eid'";
 $result = $db->sql_query($sql);
 $row = $db->sql_fetchrow($result);
 $active = $row[active];
 
 | 
 
 Now add sanitize code, so result will be as:
 
 
  	  | Code: |  	  | function terms($eid, $ltr) {
 global $module_name, $prefix, $sitename, $db, $admin;
 $eid = intval($eid);
 $ltr = substr($ltr,0,1);
 if(ereg("[^a-zA-Z]",$ltr))
 {
 die('Invalid letter specified!');
 }
 $sql = "SELECT active FROM ".$prefix."_encyclopedia WHERE eid='$eid'";
 $result = $db->sql_query($sql);
 $row = $db->sql_fetchrow($result);
 $active = $row[active];
 
 | 
 
 Next find from same file code like this (~line 155):
 
 
  	  | Code: |  	  | if (isset($query)) {
 $contentpages[$arrayelement] = eregi_replace($query,"<b>$query</b>",$contentpages[$arrayelement]);
 $fromsearch = "&query=$query";
 } else {
 $fromsearch = "";
 }
 
 | 
 
 Add sanitize code, so it will look like:
 
 
  	  | Code: |  	  | if (isset($query)) {
 $query = htmlentities($query);
 $contentpages[$arrayelement] = eregi_replace($query,"<b>$query</b>",$contentpages[$arrayelement]);
 $fromsearch = "&query=$query";
 } else {
 $fromsearch = "";
 }
 
 | 
 
 Next open file "/modules/Encyclopedia/search.php" and find this code @ very beginning of the file:
 
 
  	  | Code: |  	  | require_once("mainfile.php");
 $module_name = basename(dirname(__FILE__));
 get_lang($module_name);
 include("header.php");
 global $db, $prefix;
 if ((isset($query) AND !isset($eid)) AND ($query != "")) {
 $query = check_html($query, nohtml);
 
 | 
 
 Add sanitize code, so it will look like:
 
 
  	  | Code: |  	  | require_once("mainfile.php");
 $module_name = basename(dirname(__FILE__));
 get_lang($module_name);
 include("header.php");
 global $db, $prefix;
 if(isset($eid)) $eid = intval($eid);
 if ((isset($query) AND !isset($eid)) AND ($query != "")) {
 $query = check_html($query, nohtml);
 
 | 
 
 That's all for "Encyclopedia" module. Finally lets fix "Reviews" module!
 
 Open file "/modules/Reviews/index.php" and find this (~line 165):
 
 
  	  | Code: |  	  | function preview_review($date, $title, $text, $reviewer, $email, $score, $cover, $url, $url_title, $hits, $id, $rlanguage) {
 global $admin, $multilingual, $module_name;
 if (eregi("<!--pagebreak-->", $text)) {
 $text = ereg_replace("<!--pagebreak-->","<!--pagebreak-->",$text);
 }
 $title = stripslashes(check_html($title, "nohtml"));
 $text = stripslashes(check_html($text, ""));
 $reviewer = stripslashes(check_html($reviewer, "nohtml"));
 $url_title = stripslashes(check_html($url_title, "nohtml"));
 include ('header.php');
 OpenTable();
 
 
 | 
 
 Now add sanitize code, so result will be as:
 
 
  	  | Code: |  	  | function preview_review($date, $title, $text, $reviewer, $email, $score, $cover, $url, $url_title, $hits, $id, $rlanguage) {
 global $admin, $multilingual, $module_name;
 if (eregi("<!--pagebreak-->", $text)) {
 $text = ereg_replace("<!--pagebreak-->","<!--pagebreak-->",$text);
 }
 $title = stripslashes(check_html($title, "nohtml"));
 $text = stripslashes(check_html($text, ""));
 $reviewer = stripslashes(check_html($reviewer, "nohtml"));
 $url_title = stripslashes(check_html($url_title, "nohtml"));
 $cover = stripslashes(check_html($cover, "nohtml"));
 $url = stripslashes(check_html($url, "nohtml"));
 $rlanguage = stripslashes(check_html($rlanguage, "nohtml"));
 $hits = intval($hits);
 $score = intval($score);
 include ('header.php');
 OpenTable();
 
 | 
 
 Next from same file find this code fragment (~line 215):
 
 
  	  | Code: |  	  | if ($error == 1)
 echo "<br>"._GOBACK."";
 else
 {
 if ($date == "")
 $date = date("Y-m-d", time());
 $year2 = substr($date,0,4);
 $month = substr($date,5,2);
 $day = substr($date,8,2);
 $fdate = date("F jS Y",mktime (0,0,0,$month,$day,$year2));
 
 | 
 
 And comment out or delete one line, so result will be as:
 
 
  	  | Code: |  	  | if ($error == 1)
 echo "<br>"._GOBACK."";
 else
 {
 //if ($date == "")
 $date = date("Y-m-d", time());
 $year2 = substr($date,0,4);
 $month = substr($date,5,2);
 $day = substr($date,8,2);
 $fdate = date("F jS Y",mktime (0,0,0,$month,$day,$year2));
 
 | 
 
 Now from same file find this code (~line 353):
 
 
  	  | Code: |  	  | function reviews($letter, $field, $order) {
 global $bgcolor4, $sitename, $prefix, $multilingual, $currentlang, $db, $module_name;
 include ('header.php');
 if ($multilingual == 1) {
 $querylang = "AND rlanguage='$currentlang'";
 } else {
 $querylang = "";
 }
 OpenTable();
 
 | 
 
 and add sanitize code, so result will be as:
 
 
  	  | Code: |  	  | function reviews($letter, $field, $order) {
 global $bgcolor4, $sitename, $prefix, $multilingual, $currentlang, $db, $module_name;
 include ('header.php');
 if ($multilingual == 1) {
 $querylang = "AND rlanguage='$currentlang'";
 } else {
 $querylang = "";
 }
 if($order != 'DESC')
 {
 $order = 'ASC';
 }
 OpenTable();
 
 | 
 
 Now from same file find this code (~line 275):
 
 
  	  | Code: |  	  | function send_review($date, $title, $text, $reviewer, $email, $score, $cover, $url, $url_title, $hits, $id, $rlanguage) {
 global $admin, $EditedMessage, $prefix, $db, $module_name;
 include ('header.php');
 if (eregi("<!--pagebreak-->", $text)) {
 $text = ereg_replace("<!--pagebreak-->","<!--pagebreak-->;",$text);
 }
 $id = intval($id);
 $title = stripslashes(FixQuotes(check_html($title, "nohtml")));
 $text = stripslashes(Fixquotes(urldecode(check_html($text, ""))));
 if (eregi("<!--pagebreak-->", $text)) {
 $text = ereg_replace("<!--pagebreak-->","<!--pagebreak-->",$text);
 }
 OpenTable();
 echo "<br><center>"._RTHANKS."";
 $id = intval($id);
 if ($id != 0)
 echo " "._MODIFICATION."";
 
 | 
 
 This code needs major modifications, so finally it will be as:
 
 
  	  | Code: |  	  | function send_review($date, $title, $text, $reviewer, $email, $score, $cover, $url, $url_title, $hits, $id, $rlanguage) {
 global $admin, $EditedMessage, $prefix, $db, $module_name;
 include ('header.php');
 if (eregi("<!--pagebreak-->", $text)) {
 $text = ereg_replace("<!--pagebreak-->","<!--pagebreak-->;",$text);
 }
 $id = intval($id);
 $title = stripslashes(FixQuotes(check_html($title, "nohtml")));
 $text = stripslashes(Fixquotes(check_html(urldecode($text),''))) ;
 if (eregi("<!--pagebreak-->", $text)) {
 $text = ereg_replace("<!--pagebreak-->","<!--pagebreak-->",$text);
 }
 $date = date("Y-m-d", time());
 $reviewer = htmlentities($reviewer);
 $email = htmlentities($email);
 $cover = htmlentities($cover);
 $url = htmlentities($url);
 $url_title = htmlentities($url_title);
 $rlanguage = htmlentities($rlanguage);
 $hits = intval($hits);
 $score = intval($score);
 if(($score < 1) || ($score > 10))
 {
 die('Invalid score, script halted!');
 }
 OpenTable();
 echo "<br><center>"._RTHANKS."";
 if ($id != 0)
 echo " "._MODIFICATION."";
 
 | 
 
 OK, lets move further. From the same file find this code (~line 501):
 
 
  	  | Code: |  	  | function savecomment($xanonpost, $uname, $id, $score, $comments) {
 global $anonymous, $user, $cookie, $prefix, $db, $module_name;
 if ($xanonpost) {
 $uname = $anonymous;
 }
 $comments = stripslashes(FixQuotes(check_html($comments)));
 $id = intval($id);
 $score = intval($score);
 $db->sql_query("insert into ".$prefix."_reviews_comments values (NULL, '$id', '$uname', now(), '$comments', '$score')");
 
 | 
 
 Lets add sanitize code, so we will get:
 
 
  	  | Code: |  	  | function savecomment($xanonpost, $uname, $id, $score, $comments) {
 global $anonymous, $user, $cookie, $prefix, $db, $module_name;
 $uname = htmlentities($uname);
 if ($xanonpost) {
 $uname = $anonymous;
 }
 $comments = stripslashes(FixQuotes(check_html($comments)));
 $id = intval($id);
 $score = intval($score);
 if(($score < 1) || ($score > 10))
 {
 die('Invalid score, script halted!');
 }
 $db->sql_query("insert into ".$prefix."_reviews_comments values (NULL, '$id', '$uname', now(), '$comments', '$score')");
 
 | 
 
 Huh, that's all for this advisory
     Stay tuned and wait for more advisories
  |  |  
		| 
		
			| 
 Last edited by waraxe on Sat Apr 16, 2005 2:50 pm; edited 5 times in total
 |  |  |  
	|  |  |  | 
 
	|  | a |  |  
	| 
	
		|  Posted: Fri Jun 11, 2004 10:34 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| SteX |  | Advanced user |  |  
  |  |  |  | Joined: May 18, 2004 |  | Posts: 181 |  | Location: Serbia |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| So many security flaws,so little time.. |  |  
		| 
		
			| _________________
 
   We would change the world, but God won't give us the sourcecode...
 ....Watch the master. Follow the master. Be the master....
 -------------------------------------------------------
 |  |  |  
	|  |  
	| 
	
		|  Posted: Fri Jun 11, 2004 10:36 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Yep, "information quantity is killin' me" - i wanted to say    |  |  
		|  |  |  
	|  |  
	|  | a |  |  
	| 
	
		|  Posted: Fri Jun 11, 2004 10:49 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| SteX |  | Advanced user |  |  
  |  |  |  | Joined: May 18, 2004 |  | Posts: 181 |  | Location: Serbia |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Now i will test this exploits on some sites..     It seams that PHP-Nuke has many manu undiscovered flaws..
 
 BTW: I hate this message in XSS :"The html tags you attempted to use are not allowed"..Tou..
 |  |  
		| 
		
			| _________________
 
   We would change the world, but God won't give us the sourcecode...
 ....Watch the master. Follow the master. Be the master....
 -------------------------------------------------------
 |  |  |  
	|  |  
	| 
	
		|  Posted: Fri Jun 11, 2004 11:00 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Its phpnuke generic anti-xss filter, located in "mainfile.php" ... It will trigger on GET requests, but will not react on POST and COOKIE variables
  |  |  
		|  |  |  
	|  |  
	|  | a |  |  
	| 
	
		|  Posted: Fri Jun 11, 2004 11:06 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| SteX |  | Advanced user |  |  
  |  |  |  | Joined: May 18, 2004 |  | Posts: 181 |  | Location: Serbia |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| i know that..   i have one stupid question.
 Can i somehow see MD5 hash with POST variables..
 |  |  
		| 
		
			| _________________
 
   We would change the world, but God won't give us the sourcecode...
 ....Watch the master. Follow the master. Be the master....
 -------------------------------------------------------
 |  |  |  
	|  |  
	| 
	
		|  Posted: Fri Jun 11, 2004 11:12 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| If phpnuke has all critical patches applied, then getting of the md5 hash is possible, when you use some unpublished bugs/weak add-on modules/etc. And in case of phpnuke there is no difference, how you deliver malicious variables GET , POST or COOKIE. Because phpnuke will globalize all the GPC variables and its very handy to all attackers, i think. |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Fri Jun 11, 2004 11:18 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| SteX |  | Advanced user |  |  
  |  |  |  | Joined: May 18, 2004 |  | Posts: 181 |  | Location: Serbia |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Thanks waraxe..I am going to sleep now..All best.. |  |  
		| 
		
			| _________________
 
   We would change the world, but God won't give us the sourcecode...
 ....Watch the master. Follow the master. Be the master....
 -------------------------------------------------------
 |  |  |  
	|  |  
	| 
	
		|  Posted: Fri Jun 11, 2004 11:19 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| See ya!  |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Sat Jun 12, 2004 2:45 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Tank863 |  | Regular user |  |  
  |  |  |  | Joined: May 18, 2004 |  | Posts: 5 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| What is the change in this coding from above? To me, it appears to be the same... 
 Open file "/modules/Reviews/index.php" and find this (~line 165):
 
 
 
  	  | Code: |  	  | function preview_review($date, $title, $text, $reviewer, $email, $score, $cover, $url, $url_title, $hits, $id, $rlanguage) {
 global $admin, $multilingual, $module_name;
 if (eregi("<!--pagebreak-->", $text)) {
 $text = ereg_replace("<!--pagebreak-->","<!--pagebreak-->",$text);
 }
 $title = stripslashes(check_html($title, "nohtml"));
 $text = stripslashes(check_html($text, ""));
 $reviewer = stripslashes(check_html($reviewer, "nohtml"));
 $url_title = stripslashes(check_html($url_title, "nohtml"));
 include ('header.php');
 OpenTable();
 
 | 
 
 
 
 Now add sanitize code, so result will be as:
 
 
 
  	  | Code: |  	  | function preview_review($date, $title, $text, $reviewer, $email, $score, $cover, $url, $url_title, $hits, $id, $rlanguage) {
 global $admin, $multilingual, $module_name;
 if (eregi("<!--pagebreak-->", $text)) {
 $text = ereg_replace("<!--pagebreak-->","<!--pagebreak-->",$text);
 }
 $title = stripslashes(check_html($title, "nohtml"));
 $text = stripslashes(check_html($text, ""));
 $reviewer = stripslashes(check_html($reviewer, "nohtml"));
 $url_title = stripslashes(check_html($url_title, "nohtml"));
 include ('header.php');
 OpenTable();
 
 | 
 
 Tank863
 
 PS: Thank you for the rest of the updates... anything that will make PHP-Nuke more secure is always appreciated.
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Sat Jun 12, 2004 2:58 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Yep, that was my mistake and i corrected it for now. If you see more bugs, please let me know, coz i have very busy and this rush will induct bugs...
 By the way - next advisory and fixes will be publicly available within next ~3 days, so stay tuned.
  |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Sat Jun 12, 2004 3:05 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Tank863 |  | Regular user |  |  
  |  |  |  | Joined: May 18, 2004 |  | Posts: 5 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| That has to be one of the fastest responses that I have ever received... 
 Great job...
 
 Tank863
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Sat Jun 12, 2004 9:12 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| SteX |  | Advanced user |  |  
  |  |  |  | Joined: May 18, 2004 |  | Posts: 181 |  | Location: Serbia |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | Quote: |  	  | By the way - next advisory and fixes will be publicly available within next ~3 days, so stay tuned. | 
 
 Are you ever sleep..
  |  |  
		| 
		
			| _________________
 
   We would change the world, but God won't give us the sourcecode...
 ....Watch the master. Follow the master. Be the master....
 -------------------------------------------------------
 |  |  |  
	|  |  
	| 
	
		|  Posted: Sun Jun 13, 2004 2:48 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | SteX wrote: |  	  |  	  | Quote: |  	  | By the way - next advisory and fixes will be publicly available within next ~3 days, so stay tuned. | 
 
 Are you ever sleep..
  | 
 
 Well, i sleep ~7...8 hours, more than normally
   But in the night will see dreams about xss, etc
  |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Fri Jun 25, 2004 3:12 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Spacebom |  | Regular user |  |  
  |  |  |  | Joined: May 20, 2004 |  | Posts: 6 |  | Location: Valladolid - Spain |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | waraxe wrote: |  	  | But in the night will see dreams about xss, etc  | 
 
 jajajajaajajaj
  |  |  
		|  |  |  
	|  |  
	| www.waraxe.us Forum Index -> How to fix 
 
	
		| You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 | All times are GMT Page 1 of 2
			Goto page 1, 2Next
 
 |  |  
	|  |  
 Powered by phpBB © 2001-2008 phpBB Group
 
 
 
 
 |  |  |  |  |