OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Cabezon Aurélien (aurelien.cabezonisecurelabs.com)
Date: Sat Dec 15 2001 - 19:05:45 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [ Phpnuke module.php vulnerability and PHP error_reporting issue ]
    on 16 december by Cabezon Aurélien | aurelien.cabezoniSecureLabs.com

    As you know, there are many Cross site scripting issue on Phpnuke modules
    and other web application using PHP.

    There is a cross site scripting issue cause :
    [1] there is a lack to checks from user input in module.php
    [2] PHP does not have a good deal with error reporting

    I found my website vulnerable to an other cross site scripting
    vulnerability, i thougt the problem was in XForum (forum
    module for phpnuke)
    He was also, but it was too on the way that PHP report errors and deals with
    error messages.

    ---Vulnerable line in module.php---
    include("modules/$name/$file.php");
    ---Vulnerable line in module.php---

    Exploit :
    http://host.com/modules.php?op=modload&name=XForum&file=[hostile
    javascript]&fid=2

    Hostile javascript could be : {script}alert(document.cookie);{/script} that
    display your cookie.
    replace {} by <>

    This crafted url cause the module.php script to make an PHP error reporting
    like this:

    ---php error report---
    Warning: Failed opening 'modules/XForum/.php' for inclusion
    (include_path='') in /home/foo/htdocs/modules.php on line 27
    ---php error report---

    When your browser display the error reporting, it parses the hotile
    javascript too...
    I found an easy and fast way to fix this problem and other cross site
    scripting issue regarding module.php and other web application using PHP :
    Just turn off PHP error reporting and wait for a fix from PHP devel team :)
    The error_reporting function should check for bad inputs.

    Temp fix for phpnuke module.php:

    ---start of module.php---
    error_reporting(0); //Add this line, Just turn off error_reporting

    //original file

    switch($op) {

        case "modload":/
     if (!isset($mainfile)) { include("mainfile.php"); }
     if (ereg("\.\.",$name) || ereg("\.\.",$file)) {
         echo "You are so cool";
         break;
     } else {
         include("modules/$name/$file.php");
     }
     break;

        default:
     die ("Sorry, you can't access this file directly...");
     break;

    }

    ---end of module.php---

    regards, 

    ---
Cabezon Aurélien | aurelien.cabezoniSecureLabs.com
http://www.iSecureLabs.com | French Security Portal