Phpnuke module.php vulnerability and php error_reporting issue

From: Cabezon Aurélien (aurelien.cabezonat_private)
Date: Sat Dec 15 2001 - 17:05:45 PST

Next message: Ian Freislich: "Re: xmms/xchat full access shared memory segments (and Mozilla)"

Previous message: Zeev Suraski: "[Security] PHP 4.1.0 available"
Next in thread: Mike Eheler: "Re: Phpnuke module.php vulnerability and php error_reporting issue"
Reply: Mike Eheler: "Re: Phpnuke module.php vulnerability and php error_reporting issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ Phpnuke module.php vulnerability and PHP error_reporting issue ]
on 16 december by Cabezon Aurélien | aurelien.cabezonat_private

As you know, there are many Cross site scripting issue on Phpnuke modules
and other web application using PHP.

There is a cross site scripting issue cause :
[1] there is a lack to checks from user input in module.php
[2] PHP does not have a good deal with error reporting

I found my website vulnerable to an other cross site scripting
vulnerability, i thougt the problem was in XForum (forum
module for phpnuke)
He was also, but it was too on the way that PHP report errors and deals with
error messages.

---Vulnerable line in module.php---
include("modules/$name/$file.php");
---Vulnerable line in module.php---

Exploit :
http://host.com/modules.php?op=modload&name=XForum&file=[hostile
javascript]&fid=2

Hostile javascript could be : {script}alert(document.cookie);{/script} that
display your cookie.
replace {} by <>

This crafted url cause the module.php script to make an PHP error reporting
like this:

---php error report---
Warning: Failed opening 'modules/XForum/.php' for inclusion
(include_path='') in /home/foo/htdocs/modules.php on line 27
---php error report---

When your browser display the error reporting, it parses the hotile
javascript too...
I found an easy and fast way to fix this problem and other cross site
scripting issue regarding module.php and other web application using PHP :
Just turn off PHP error reporting and wait for a fix from PHP devel team :)
The error_reporting function should check for bad inputs.


Temp fix for phpnuke module.php:

---start of module.php---
error_reporting(0); //Add this line, Just turn off error_reporting

//original file

switch($op) {

    case "modload":/
 if (!isset($mainfile)) { include("mainfile.php"); }
 if (ereg("\.\.",$name) || ereg("\.\.",$file)) {
     echo "You are so cool";
     break;
 } else {
     include("modules/$name/$file.php");
 }
 break;

    default:
 die ("Sorry, you can't access this file directly...");
 break;

}

---end of module.php---



regards,

---
Cabezon Aurélien | aurelien.cabezonat_private
http://www.iSecureLabs.com | French Security Portal

Next message: Ian Freislich: "Re: xmms/xchat full access shared memory segments (and Mozilla)"
Previous message: Zeev Suraski: "[Security] PHP 4.1.0 available"
Next in thread: Mike Eheler: "Re: Phpnuke module.php vulnerability and php error_reporting issue"
Reply: Mike Eheler: "Re: Phpnuke module.php vulnerability and php error_reporting issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 11:48:01 PST