PHP-Nuke code execution and XSS vulnerabilities PROGRAM: PHP-Nuke VENDOR: Fransisco Burzi et al. HOMEPAGE: http://phpnuke.org/ VULNERABLE VERSIONS: 6.0 (the only supported version) IMMUNE VERSIONS: 6.0 with my patch applied LOGIN REQUIRED: no DESCRIPTION: "PHP-Nuke is a Web portal and online community system which includes Web-based administration, surveys, access statistics, user customizable boxes, a themes manager for registered users, friendly administration GUI with graphic topic manager, the ability to edit or delete stories, an option to delete comments, a moderation system, referer tracking, integrated banner ad system, search engine, backend/headlines generation (RSS/RDF format), Web directory like Yahoo, events manager, and support for 20+ languages." (direct quote from the program's project page at Freshmeat) PHP-Nuke is published under the terms of the GNU General Public License. It is a very popular program with lots and lots of installations. It is included as one of the packages in Debian GNU/Linux and one of FreeBSD's ports. Despite all this, the program has a bad reputation regarding security matters. SUMMARY: PHP-Nuke has a module that implements a web mail system. When a user reads an e-mail message with an attached file, the file in question is stored in a web accessible directory under its normal file name. Files with active web content, such as CGI or PHP scripts, are handled the same way. The module also has a cross-site scripting hole. Either problem is serious in its own right, but when we combine them, we end up with something very serious: an e-mail message that automatically executes an attached PHP script when someone opens it! TECHNICAL DETAILS: As stated above, PHP-Nuke has got a web mail system, and it stores attachments under their real file names in a directory where anyone can surf to them. There is nothing in the code that stops active content, such as PHP scripts, from being stored in that directory. There is also no warning against this in the program's documentation. As a result, any attacker can execute any PHP script on the web server. The attacker first sends the script as an attachment to any user who will read that message in PHP-Nuke's web mail system. The attacker then waits for the user to open the message, and finally the attacker just surfs to a predictable WWW location. The user doesn't even have to open the attachment, just the mail that it comes in. As a bonus, the web mail system also has a Cross-Site Scripting vulnerability. It doesn't remove <script> tags in HTML based e-mail messages. When we combine the two vulnerabilities, we find that it is possible to construct an e-mail message that will automatically execute an attached PHP script when an unsuspecting user opens that message! This is very bad, as PHP scripts can access files, databases and network resources. They can for instance store a C program in some temporary location, compile it and execute it. To make things even worse, the availability of anonymous remailers and the fact that the PHP script will be accessed from the victim's IP number and not the attacker's makes the attacker pretty anonymous. COMMUNICATION WITH VENDOR: I didn't contact the vendor, as Fransisco has a very bad track record when it comes to replying to security reports. MY "SECURITY HARDENING PACKAGE": Instead I wrote an unofficial patch for this issue. I have patched against version 6.0. The patch stops this particular cross-site scripting problem by calling the filter_text() function. As Matthew Murphy has shown us earlier, this function is not particularly secure, so there are other XSS problems that may be exploited. The patch also stops PHP-Nuke from storing active web content, with a long regular expression that only stores explicitly allowed types of data. If your users receive weird types of data, you may have to change the regex slightly. It also stops "../../../" traversal attacks using the attachments' file names. The patch doesn't address the issue of attached Word documents or other files being available for anyone to download, if they know the URL. MY EXPLOIT: I have also attached an exploit for this issue, which changes all administrator passwords on the PHP-Nuke system to "ulf". The attacker simply sends an HTML mail with the contents of my xss.html file as the *mail body* and my adminexploit.php file as an attachment. As soon as the victim opens the mail, the script is executed. // Ulf Harnhammar VSU Security ulfhat_private "I saw the worst minds of my generation / getting their political information from tabloids / listening to Savage Garden's greatest hits / getting married and having kids at 25 just 'cause the neighbours did / and building the worst administrative web-based members interface ever known to man" (To B.)
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 18:38:53 PST