OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve (stevesecuresolutions.org)
Date: Fri Aug 03 2001 - 18:59:56 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    From: kill-9modernhackers.com [mailto:kill-9modernhackers.com]
    Subject: 3 phpnuke bugs (2 possibly lead to admin privs)

    phpnuke (www.phpnuke.org) is an opensource
    webpage portal powers
    many websites on the net. Version 5.x of phpnuke
    does not properly
    check some variables, and is vulnerable to an attack
    that gives an
    intruder admin privileges.

    This is only possible if the intruder knows the
    database name that
    phpnuke is using, and the webserver must be able to
    connect to it
    without a password. Although It is very unlikely that
    these two
    circumstances will occur, but this is a bug still worth
    mentioning.

    The versions 5.x of phpnuke include a new feature
    involving a variable
    named $prefix:

    < Quote from phpnuke release >
    "All database tables now has the nuke_ prefix to avoid
    conflicts with
    other scripts"
    - New $prefix variable in config.php to setup multiple
    Nuke sites
    sharing one database"
    </ End Quote >

    The $prefix variable is defined in the config.php file
    and is set
    to 'nuke' by default. Along with a defualt database
    of 'nuke'.

    < Sample default config.php file >
    $dbhost = "localhost";
    $dbuname = "root";
    $dbpass = "";
    $dbname = "nuke";
    $system = 0;
    $prefix = nuke;
    </ End Sample >

    An attacker can take advantage of this new feature by
    supplying a certian
    value for the $prefix variable and creating their own
    arbitrary sql query.
    In the article.php file this is most easily accomplished
    by bypassing the
    inclusion of the mainfile.php and supplying a value for
    $sid and $tid.

    (bypassing mainfile.php inclusion is important
    becuase mainfile.php itself
    includes config.php which has the variable definition
    for $prefix, and if
    $prefix is not defined then an attacker can supply her
    own value)

    < sample code from article.php >
    if(!isset($mainfile)) { include("mainfile.php"); }
    if(!isset($sid) && !isset($tid)) { exit(); }
    </ end sample code>

    The flow of the program will then eventually enter the
    following sql query:

    < example query from article.php >
    mysql_query("UPDATE $prefix"._stories." SET
    counter=counter+1 where sid=$sid");
    < / end example query >

    So the following command will set all admin
    passwords to '1'. Given that 'nuke'
    is the name of the phpnuke database.

    article.php?
    mainfile=1&sid=1&tid=1&prefix=nuke.authors%
    20set%20pwd=1%23

    ##############
    Dos possibility

    In addition, I noticed that in file 'modules.php' there
    exists a possible
    Denial of service situation where an attacker could
    cause the file to recusively
    include itself (or any php file on the system, because
    phpnuke does not check
    for '../') by using the following url:
     
    http://site_name_with_phpnuke/modules.php?
    op=modload&name=../&file=modules

    Resources were consumed quickly in the tests that
    were performed.

    ##############
    Another way to get admin

    The fact that any .php file on the system can be
    included, means that if another
    user has an account on the same machine that
    phpnuke is running on, he can cause
    phpnuke to include his .php file ( if he chmod it to
    readable by everyone ) and
    his own arbitrary code will run with permissions of the
    phpnuke user. This would
    lead to easy administrative access of the portal , and
    access to any of the phpnuke
    user's files.

    by kill-9modernhacker.com
    http://www.modernhacker.com