Re: Phpnuke module.php vulnerability and php error_reporting issue

From: Mike Eheler (mehelerat_private)
Date: Mon Dec 17 2001 - 12:59:04 PST

  • Next message: E M: "Hosting.com Cross Site Scripting" 

    This is a known vulnerability for quite some time now. I'd also like to 
propose an alternative solution to the module.php problem.

Please scrutinize this code, if there is more security problems with it.

Mike

<?php
// modules.php
switch ($op) {
   case 'modload':
     // why this guy didn't juse use include_once throughout the site
     // is beyond me.
     if (!isset($mainfile)) { include('mainfile.php'); }
     $tmp = pathinfo(realpath('./modules/index.html'));
     $tmp2 = pathinfo(realpath("modules/$name/$file.php"));
     $cmp1 = substr($tmp2['dirname'],0,strlen($tmp['dirname']));
     $cmp2 = $tmp['dirname'];
     if (strlen($tmp2['dirname']) > 0) {
       if (file_exists($tmp2['dirname'])) {
         if ($cmp1 == $cmp2) {
           include("modules/$name/$file.php");
         } else {
           // If you care to, log the action, and give the user a
           // threatening message.
           die('Naughty! Your IP address has been logged and emailed to 
the site admin!');
         }
       } else {
         die('File does not exist.');
       }
     } else {
       die('File does not exist.');
     }
     break;

   default:
     die("Sorry, you can't access this file directly...");
     break;
}
?>

Cabezon Aurélien wrote:

> [ Phpnuke module.php vulnerability and PHP error_reporting issue ]
> on 16 december by Cabezon Aurélien | aurelien.cabezonat_private
> 
> As you know, there are many Cross site scripting issue on Phpnuke modules
> and other web application using PHP.
> 
> There is a cross site scripting issue cause :
> [1] there is a lack to checks from user input in module.php
> [2] PHP does not have a good deal with error reporting
> 
> I found my website vulnerable to an other cross site scripting
> vulnerability, i thougt the problem was in XForum (forum
> module for phpnuke)
> He was also, but it was too on the way that PHP report errors and deals with
> error messages.
> 
> ---Vulnerable line in module.php---
> include("modules/$name/$file.php");
> ---Vulnerable line in module.php---
> 
> Exploit :
> http://host.com/modules.php?op=modload&name=XForum&file=[hostile
> javascript]&fid=2
> 
> Hostile javascript could be : {script}alert(document.cookie);{/script} that
> display your cookie.
> replace {} by <>
> 
> This crafted url cause the module.php script to make an PHP error reporting
> like this:
> 
> ---php error report---
> Warning: Failed opening 'modules/XForum/.php' for inclusion
> (include_path='') in /home/foo/htdocs/modules.php on line 27
> ---php error report---
> 
> When your browser display the error reporting, it parses the hotile
> javascript too...
> I found an easy and fast way to fix this problem and other cross site
> scripting issue regarding module.php and other web application using PHP :
> Just turn off PHP error reporting and wait for a fix from PHP devel team :)
> The error_reporting function should check for bad inputs.
> 
> 
> Temp fix for phpnuke module.php:
> 
> ---start of module.php---
> error_reporting(0); //Add this line, Just turn off error_reporting
> 
> //original file
> 
> switch($op) {
> 
>     case "modload":/
>  if (!isset($mainfile)) { include("mainfile.php"); }
>  if (ereg("\.\.",$name) || ereg("\.\.",$file)) {
>      echo "You are so cool";
>      break;
>  } else {
>      include("modules/$name/$file.php");
>  }
>  break;
> 
>     default:
>  die ("Sorry, you can't access this file directly...");
>  break;
> 
> }
> 
> ---end of module.php---
> 
> 
> 
> regards,
> 
> ---
> Cabezon Aurélien | aurelien.cabezonat_private
> http://www.iSecureLabs.com | French Security Portal
> 
>

    This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 19:34:54 PST