[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [waraxe-2004-SA#016 - Cross-Site Scripting aka XSS in phpnuke
From: Janek Vind <come2waraxe () yahoo ! com>
Date: 2004-04-12 16:03:25
Message-ID: 20040412160325.32307.qmail () www ! securityfocus ! com
[Download RAW message or body]
{================================================================================}
{ [waraxe-2004-SA#016] }
{================================================================================}
{ }
{ [ Cross-Site Scripting aka XSS in phpnuke 6.x-7.2 part 3 ] }
{ }
{================================================================================}
\
Author: Janek Vind "waraxe"
Date: 12. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=16
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Php-Nuke is popular freeware content management system, written in php by
Francisco Burzi. This CMS (Content Management System) is used on many thousands
websites, because it`s free of charge, easy to install and has broad set of features.
Homepage: http://phpnuke.org
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here I am, on the road again, discussing about potential XSS case in phpnuke.
"AGAIN?". Yes, coz phpnuke is surprisingly generous software for finding different
security holes ;)
This XSS case is active, when website uses some specific nuke themes - for example \
generic themes "Karate", "Anagram", "Kaput", "Milo", "NukeNews" and many other \
derivations and custom themes. By the way, security issues here are phpnuke engine \
related, not theme related.
Let's be more specific. There is a function in nuke engine, called cookiedecode().
From mainfile.php:
function cookiedecode($user) {
global $cookie, $prefix, $db, $user_prefix;
$user = base64_decode($user);
$cookie = explode(":", $user);
$sql = "SELECT user_password FROM ".$user_prefix."_users WHERE \
username='$cookie[1]'"; $result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$pass = $row[user_password];
if ($cookie[2] == $pass && $pass != "") {
return $cookie;
} else {
unset($user);
unset($cookie);
}
As we can see, variable $user (from $_COOKIE[], $_GET[] or $_POST[]) gets base64 \
decoded and then exploded to array $cookie. Then the code will ask from database the \
password md5 hash and if retrieved password matches with browser supplied password, \
then function returns the array $cookie[] and next phpnuke theme.php will use this \
valid username (it's checked in cookidecode) for visual feedback, for example - \
"welcome, $username". So, it seems, that we can't spoof username here, coz we can't \
fool the checking routine (we dont consider here sql injection , coz it will be used \
in my next advisory ;) ). This is, what code programmer was thinking, but reality is \
different...
From php manual:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
unset
(PHP 3, PHP 4)
unset -- Unset a given variable
Description
void unset ( mixed var [, mixed var [, ...]])
unset() destroys the specified variables. Note that in PHP 3, unset() will always \
return TRUE (actually, the integer value 1). In PHP 4, however, unset() is no longer \
a true function: it is now a statement. As such no value is returned, and attempting \
to take the value of unset() results in a parse error.
The behavior of unset() inside of a function can vary depending on what type of \
variable you are attempting to destroy. If a globalized variable is unset() inside \
of a function, only the local variable is destroyed. The variable in the calling \
environment will retain the same value as before unset() was called. \
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
So, this little code in function cookiedecode():
} else {
unset($user);
unset($cookie);
}
will destroy the array $cookie[] only IN LOCAL CONTEXT, but in global scope it will \
be UNDESTROYED!
Ok, now let's issue request like this
http://localhost/nuke71/index.php?user=MTo8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmNvb2tpZSk7PC9zY3JpcHQ%2bZm9vYmFy
to the phpnuke enabled website, using vulnerable themes. And we can see, that XSS \
works! What's inside of the "user"? If we base64_decode this variable, we see this:
1:<script>alert(document.cookie);</script>foobar
So, in this way, we can exploit XSS and evade all contrameasures in phpnuke, set up \
against scripting tags etc.
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to Stefano from UT Bee Clan!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic