[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [waraxe-2004-SA#016 - Cross-Site Scripting aka XSS in phpnuke
From:       Janek Vind <come2waraxe () yahoo ! com>
Date:       2004-04-12 16:03:25
Message-ID: 20040412160325.32307.qmail () www ! securityfocus ! com
[Download RAW message or body]





{================================================================================}
{                              [waraxe-2004-SA#016]                              }
{================================================================================}
{                                                                                }
{           [ Cross-Site Scripting aka XSS in phpnuke 6.x-7.2 part 3 ]           }
{                                                                                }
{================================================================================}
                                                                                      \
                
Author: Janek Vind "waraxe"
Date: 12. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=16


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is popular freeware content management system, written in php by
Francisco Burzi. This CMS (Content Management System) is used on many thousands
websites, because it`s free of charge, easy to install and has broad set of features.

Homepage: http://phpnuke.org



Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here I am, on the road again, discussing about potential XSS case in phpnuke.
"AGAIN?". Yes, coz phpnuke is surprisingly generous software for finding different
security holes ;)

This XSS case is active, when website uses some specific nuke themes - for example \
generic themes "Karate", "Anagram", "Kaput", "Milo", "NukeNews" and many other \
derivations and custom themes. By the way, security issues here are phpnuke engine \
related, not theme related.

Let's be more specific. There is a function in nuke engine, called cookiedecode().
From mainfile.php:

function cookiedecode($user) {
    global $cookie, $prefix, $db, $user_prefix;

    $user = base64_decode($user);
    $cookie = explode(":", $user);
    $sql = "SELECT user_password FROM ".$user_prefix."_users WHERE \
username='$cookie[1]'";  $result = $db->sql_query($sql);
    $row = $db->sql_fetchrow($result);
    $pass = $row[user_password];
    if ($cookie[2] == $pass && $pass != "") {
	return $cookie;
    } else {
	unset($user);
	unset($cookie);
    }

As we can see, variable $user (from $_COOKIE[], $_GET[] or $_POST[]) gets base64 \
decoded and then exploded to array $cookie. Then the code will ask from database the \
password md5 hash and if retrieved password matches with browser supplied password, \
then function returns the array $cookie[] and next phpnuke theme.php will use this \
valid username (it's checked in cookidecode) for visual feedback, for example - \
"welcome, $username". So, it seems, that we can't spoof username here, coz we can't \
fool the checking routine (we dont consider here sql injection , coz it will be used \
in my next advisory ;) ). This is, what code programmer was thinking, but reality is \
different...

From php manual:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 unset

(PHP 3, PHP 4)
unset -- Unset a given variable 

Description
void unset ( mixed var [, mixed var [, ...]])

unset() destroys the specified variables. Note that in PHP 3, unset() will always \
return TRUE (actually, the integer value 1). In PHP 4, however, unset() is no longer \
a true function: it is now a statement.  As such no value is returned, and attempting \
to take the value of unset() results in a parse error. 

The behavior of unset() inside of a function can vary depending on what type of \
variable you are attempting to destroy.  If a globalized variable is unset() inside \
of a function, only the local variable is destroyed. The variable in the calling \
environment will retain the same value as before unset() was called.  \
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 So, this little code in function cookiedecode():
} else {
	unset($user);
	unset($cookie);
}
will destroy the array $cookie[] only IN LOCAL CONTEXT, but in global scope it will \
be UNDESTROYED!

Ok, now let's issue request like this

http://localhost/nuke71/index.php?user=MTo8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmNvb2tpZSk7PC9zY3JpcHQ%2bZm9vYmFy


to the phpnuke enabled website, using vulnerable themes. And we can see, that XSS \
works! What's inside of the "user"? If we base64_decode this variable, we see this:

1:&lt;script&gt;alert(document.cookie);&lt;/script&gt;foobar

So, in this way, we can exploit XSS and evade all contrameasures in phpnuke, set up \
against scripting tags etc.




Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to Stefano from UT Bee Clan!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic