Home page logo
/

bugtraq logo Bugtraq mailing list archives

PHP-Nuke code injection in Yearly Stats at Statistics module
From: Lorenzo Manuel Hernandez Garcia-Hierro <security () lorenzohgh com>
Date: 17 May 2003 10:33:39 -0000



-------
Product: PHP-Nuke
Vendor: Francisco Burci
Versions Vulnerable: 
6.0 without patches , 
6.0 with index.php and mainfile.php patches. 
5.5 with patches ( all resting script tags)
No vulnerable: 
6.0 with mainfile.php patch for block url tags inclusions ( not all ).
5.5 with script tags but with the other all.
------
DESCRIPTION:
------
i'm working now in nuke based portals , searching modules that use an URL 
based query i found in the Statistics module some bugs:
when you put a string in the url behind the &year variable the module 
prints you the character that you put.
i probe iframe and works , script tags works , object works,applet 
works,meta works,style works,form works too,img works,comments and ssi 
works.
--------
SOLUTION:
--------
Put this code in your mainfile.php :
/*
foreach ($HTTP_GET_VARS as $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
        (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
        (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
        (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
        (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
        (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
        (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
        (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
        (eregi("\"", $secvalue))) {
        die ("Oh! .");
    }
}
*/
NOTE: Remove comment /* and */.
-----
WHAT CAN BE HAPPEN?
-----
Script and binary objects inclusion. Normally it isn't a problem but 
there are many viruses written in vbscript and javascript/JS . Iframe can 
be used for a link that an user visits and there is and attack to the 
user trough known iframe vulns.
With the code that i provide your'e sure by this little bug.
-----
CONTACT INFO :
---------------------------------------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--www.novappc.com --
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************


  By Date           By Thread  

Current thread:
  • PHP-Nuke code injection in Yearly Stats at Statistics module Lorenzo Manuel Hernandez Garcia-Hierro (May 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]