OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[SA11625] PHP-Nuke Multiple Vulnerabilities

From: Secunia Security Advisories (sec-advsecunia.com)
Date: Tue May 18 2004 - 10:22:20 CDT

TITLE:
PHP-Nuke Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA11625

VERIFY ADVISORY:
http://secunia.com/advisories/11625/

CRITICAL:
Moderately critical

IMPACT:
Cross Site Scripting, System access

WHERE:
From remote

SOFTWARE:
PHP-Nuke 6.x
PHP-Nuke 7.x

DESCRIPTION:
Janek Vind has reported three vulnerabilities in PHP-Nuke, allowing
malicious people to conduct Cross Site Scripting attacks and
potentially compromise a vulnerable system.

1) User input passed to the "modpath" parameter in "index.php" is not
properly verified before being used to include files. This can be
exploited to include arbitrary scripts and files from local resources
if a customised module file isn't available for the selected theme.

PHP-Nuke checks if a file exists before it is included, which
effectively limits the issue to affect local files on Linux and Unix
based systems. However, on Windows based systems it is possible to
include arbitrary code using paths to network shares.

2) If error messages hasn't been turned off in PHP, the "Web_Links"
module will return error messages if an invalid value is supplied to
the "show" parameter. This can be exploited to reveal the
installation path.

3) Input passed to certain parameters in various modules isn't
properly verified before it is returned to the user. This can be
exploited to execute arbitrary HTML or script code in a user's
browser session in context of an affected site by tricking the user
into visiting a malicious website or follow a specially crafted
link.

Examples:
modules.php?name=News&file=article&sid=1&optionbox=[malicious_code]
modules.php?name=Statistics&op=DailyStats&year=2004&month=5&date=[malicious_code]
modules.php?name=Stories_Archive&sa=show_month&year=[malicious_code]&month=05&month_l=May
modules.php?name=Stories_Archive&sa=show_month&year=2004&month=[malicious_code]&month_l=May
modules.php?name=Stories_Archive&sa=show_month&year=2004&month=05&month_l=[malicious_code]
modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=[malicious_code]&order=0&thold=0
modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=[malicious_code]&thold=0
modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold=[malicious_code]
index.php?foo=bar%20union%20select%20[malicious_code]

The vulnerabilities have been reported in versions 6.x through 7.3.

SOLUTION:
Use another product.

PROVIDED AND/OR DISCOVERED BY:
Janek Vind "waraxe"

ORIGINAL ADVISORY:
http://www.waraxe.us/?modname=sa&id=029
http://www.waraxe.us/?modname=sa&id=030

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------