Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

PHP-Nuke code execution and XSS vulnerabilities
From: Ulf Harnhammar <ulfh () update uu se>
Date: Mon, 16 Dec 2002 16:36:02 +0100 (CET)

PHP-Nuke code execution and XSS vulnerabilities


PROGRAM: PHP-Nuke
VENDOR: Fransisco Burzi et al.
HOMEPAGE: http://phpnuke.org/
VULNERABLE VERSIONS: 6.0 (the only supported version)
IMMUNE VERSIONS: 6.0 with my patch applied
LOGIN REQUIRED: no


DESCRIPTION:

"PHP-Nuke is a Web portal and online community system which
includes Web-based administration, surveys, access statistics,
user customizable boxes, a themes manager for registered users,
friendly administration GUI with graphic topic manager, the
ability to edit or delete stories, an option to delete comments,
a moderation system, referer tracking, integrated banner ad system,
search engine, backend/headlines generation (RSS/RDF format), Web
directory like Yahoo, events manager, and support for 20+ languages."

(direct quote from the program's project page at Freshmeat)

PHP-Nuke is published under the terms of the GNU General Public
License. It is a very popular program with lots and lots of
installations. It is included as one of the packages in Debian
GNU/Linux and one of FreeBSD's ports.

Despite all this, the program has a bad reputation regarding
security matters.


SUMMARY:

PHP-Nuke has a module that implements a web mail system. When a
user reads an e-mail message with an attached file, the file in
question is stored in a web accessible directory under its normal
file name. Files with active web content, such as CGI or PHP scripts,
are handled the same way.

The module also has a cross-site scripting hole. Either problem
is serious in its own right, but when we combine them, we end up
with something very serious: an e-mail message that automatically
executes an attached PHP script when someone opens it!


TECHNICAL DETAILS:

As stated above, PHP-Nuke has got a web mail system, and it stores
attachments under their real file names in a directory where anyone
can surf to them.

There is nothing in the code that stops active content, such as
PHP scripts, from being stored in that directory. There is also no
warning against this in the program's documentation. As a result, any
attacker can execute any PHP script on the web server. The attacker
first sends the script as an attachment to any user who will read
that message in PHP-Nuke's web mail system. The attacker then waits
for the user to open the message, and finally the attacker just
surfs to a predictable WWW location. The user doesn't even have to
open the attachment, just the mail that it comes in.

As a bonus, the web mail system also has a Cross-Site Scripting
vulnerability. It doesn't remove <script> tags in HTML based e-mail
messages.

When we combine the two vulnerabilities, we find that it is possible
to construct an e-mail message that will automatically execute an
attached PHP script when an unsuspecting user opens that message!

This is very bad, as PHP scripts can access files, databases and
network resources. They can for instance store a C program in some
temporary location, compile it and execute it.

To make things even worse, the availability of anonymous remailers
and the fact that the PHP script will be accessed from the victim's
IP number and not the attacker's makes the attacker pretty anonymous.


COMMUNICATION WITH VENDOR:

I didn't contact the vendor, as Fransisco has a very bad track
record when it comes to replying to security reports.


MY "SECURITY HARDENING PACKAGE":

Instead I wrote an unofficial patch for this issue. I have patched
against version 6.0.

The patch stops this particular cross-site scripting problem by
calling the filter_text() function. As Matthew Murphy has shown
us earlier, this function is not particularly secure, so there are
other XSS problems that may be exploited.

The patch also stops PHP-Nuke from storing active web content, with
a long regular expression that only stores explicitly allowed types
of data. If your users receive weird types of data, you may have
to change the regex slightly. It also stops "../../../" traversal
attacks using the attachments' file names.

The patch doesn't address the issue of attached Word documents or
other files being available for anyone to download, if they know
the URL.


MY EXPLOIT:

I have also attached an exploit for this issue, which changes all
administrator passwords on the PHP-Nuke system to "ulf". The attacker
simply sends an HTML mail with the contents of my xss.html file as
the *mail body* and my adminexploit.php file as an attachment. As
soon as the victim opens the mail, the script is executed.


// Ulf Harnhammar
   VSU Security
   ulfh () update uu se


"I saw the worst minds of my generation / getting their political
 information from tabloids / listening to Savage Garden's greatest
 hits / getting married and having kids at 25 just 'cause the
 neighbours did / and building the worst administrative web-based
 members interface ever known to man" (To B.)

Attachment: php-nuke_webmail.zip
Description:


  By Date           By Thread  

Current thread:
  • PHP-Nuke code execution and XSS vulnerabilities Ulf Harnhammar (Dec 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault