From squidsecurity@hushmail.com Wed Jun 2 03:24:20 2004 From: Squid To: bugtraq@securityfocus.com Date: 1 Jun 2004 18:40:35 -0000 Subject: [Squid 2004-Nuke-001] Inadequate Security Checking in PHPNuke v7.3 and earlier =========================================================================== =========================================================================== Advisory: 2004-Nuke-001 Affected Software: PHPNuke Affected Versions: Version 7.3 and earlier Main Developer: Francisco Burzi (http://www.phpnuke.org/) Module Developers: See credits section below Description: ----------- PhpNuke is a very popular open source portal software for building dynamic websites. It is a fork of Thatware and has been under active development since mid-2000. Over the years, PhpNuke itself has spawned a number of software forks. Vulnerability: ------------- In an effort to secure files from being directly accessed by outside visitors, PhpNuke's core, module, and patch developers added a simple security checking mechanism. If the checker evaluates to false, the remaining code inside the file is executed. If it evaluates to true, the script aborts or the visitor is redirected to another page. The process consists of capturing the currently executing script's path and filename with the global variable $_SERVER['PHP_SELF']. Using PHP's built-in function eregi(), this value is then compared against the script's name which should be the sole access point. Example: if (!eregi("admin.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); } In this example, a file with the above snippet will continue executing if it was accessed by another file containing the letters "admin.php" (without quotes) otherwise the script aborts returning the words "Access Denied". Using eregi() with the NOT logical operator as done by PhpNuke's developers is a very poor way to control file access because anyone can easily manipulate a URL and add the missing component thereby forcing the security check to always evaluate to false and gain unfettered entry. Exploitation Example: --------------------- http://www.domain.com/admin/case/case.adminfaq.php/admin.php?op=FaqCatGo Impact: ------ In the majority of cases here, exploition of this vulnerability will display full path disclosure and not continue further code execution where intrusion or damage might occur. In a much smaller number of cases, the code may continue executing and possibly allow outsiders unwanted access to some restricted areas on the site. Those who have setup their servers to look in the main directory when a file is not located in the current one may see a higher percentage of unwanted access and a lower percentage of full path disclosures than others. PhpNuke's code was not analyzed on whether additional vulnerabilities are possible due to this security weakness. However, files where potential SQL injections might occur are flagged below. Affected Files: -------------- Although an effort was made to identify all affected files, we leave it up to the developers/users to do their own verification to ensure no files were inadvertently missed. There are ~138 files affected. Of these, ~27 have no security check in PhpNuke's original distribution. A software patch was released by chatserv from NukeFixes (http://www.nukefixes.com) and NukeResources (http://www.nukeresources.com) to correct a number of vulnerability issues. Although 25 of the 27 files had a security check added, chatserv used the same inadequate method described in this report. Note 1 --> /admin/case/case.adminfaq.php Note 1 --> /admin/case/case.authors.php Note 1 --> /admin/case/case.backup.php Note 1 --> /admin/case/case.banners.php Note 1 --> /admin/case/case.blocks.php Note 1 --> /admin/case/case.comments.php Note 1 --> /admin/case/case.content.php Note 1 --> /admin/case/case.download.php Note 1 --> /admin/case/case.encyclopedia.php Note 1 --> /admin/case/case.ephemerids.php Note 1 --> /admin/case/case.forums.php Note 1 --> /admin/case/case.groups.php Note 1 --> /admin/case/case.links.php Note 1 --> /admin/case/case.messages.php Note 1 --> /admin/case/case.modules.php Note 1 --> /admin/case/case.newsletter.php Note 1 --> /admin/case/case.optimize.php Note 1 --> /admin/case/case.polls.php Note 1 --> /admin/case/case.referers.php Note 1 --> /admin/case/case.reviews.php Note 1 --> /admin/case/case.sections.php Note 1 --> /admin/case/case.settings.php Note 1 --> /admin/case/case.stories.php Note 1 --> /admin/case/case.topics.php Note 1 --> /admin/case/case.users.php Note 2 --> /admin/links/links.addstory.php Note 2 --> /admin/links/links.backup.php Note 2 --> /admin/links/links.banners.php Note 2 --> /admin/links/links.blocks.php Note 2 --> /admin/links/links.content.php Note 2 --> /admin/links/links.download.php Note 2 --> /admin/links/links.editadmins.php Note 2 --> /admin/links/links.editusers.php Note 2 --> /admin/links/links.encyclopedia.php Note 2 --> /admin/links/links.ephemerids.php Note 2 --> /admin/links/links.faq.php Note 2 --> /admin/links/links.forums.php Note 2 --> /admin/links/links.groups.php Note 2 --> /admin/links/links.httpreferers.php Note 2 --> /admin/links/links.messages.php Note 2 --> /admin/links/links.modules.php Note 2 --> /admin/links/links.newsletter.php Note 2 --> /admin/links/links.optimize.php Note 2 --> /admin/links/links.reviews.php Note 2 --> /admin/links/links.sections.php Note 2 --> /admin/links/links.settings.php Note 2 --> /admin/links/links.submissions.php Note 2 --> /admin/links/links.surveys.php Note 2 --> /admin/links/links.topics.php Note 2 --> /admin/links/links.weblinks.php Note 3 --> /admin/modules/adminfaq.php Note 3 --> /admin/modules/authors.php Note 3 --> /admin/modules/backup.php Note 3 --> /admin/modules/banners.php Note 3 --> /admin/modules/blocks.php Note 3 --> /admin/modules/comments.php Note 3 --> /admin/modules/content.php Note 3 --> /admin/modules/download.php Note 3 --> /admin/modules/encyclopedia.php Note 3 --> /admin/modules/ephemerids.php Note 3 --> /admin/modules/forums.php Note 3 --> /admin/modules/groups.php Note 3 --> /admin/modules/links.php Note 3 --> /admin/modules/messages.php Note 3 --> /admin/modules/modules.php Note 3 --> /admin/modules/newsletter.php Note 3 --> /admin/modules/optimize.php Note 3 --> /admin/modules/polls.php Note 3 --> /admin/modules/referers.php Note 3 --> /admin/modules/reviews.php Note 3 --> /admin/modules/sections.php Note 3 --> /admin/modules/settings.php Note 3 --> /admin/modules/stories.php Note 3 --> /admin/modules/topics.php Note 3 --> /admin/modules/users.php Note 4 --> /db/db.php Note 1 --> /modules/AvantGo/index.php Note 1 --> /modules/AvantGo/print.php Note 1 --> /modules/Content/index.php Note 1 --> /modules/Downloads/index.php Note 5 --> /modules/Downloads/voteinclude.php Note 1 --> /modules/Encyclopedia/index.php Note 1 --> /modules/Encyclopedia/search.php Note 1 --> /modules/FAQ/index.php Note 1 --> /modules/Feedback/index.php Note 1 --> /modules/Forums/faq.php Note 1 --> /modules/Forums/groupcp.php Note 1 --> /modules/Forums/index.php Note 1 --> /modules/Forums/login.php Note 1 --> /modules/Forums/modcp.php Note 1 --> /modules/Forums/nukebb.php Note 1 --> /modules/Forums/posting.php Note 1 --> /modules/Forums/profile.php Note 1 --> /modules/Forums/search.php Note 1 --> /modules/Forums/update_to_205.php Note 1 --> /modules/Forums/update_to_206.php Note 1 --> /modules/Forums/update_to_207.php Note 1 --> /modules/Forums/viewforum.php Note 1 --> /modules/Forums/viewonline.php Note 1 --> /modules/Forums/viewtopic.php Note 1 --> /modules/Journal/add.php Note 1 --> /modules/Journal/comment.php Note 1 --> /modules/Journal/commentkill.php Note 1 --> /modules/Journal/commentsave.php Note 1 --> /modules/Journal/delete.php Note 1 --> /modules/Journal/deleteyes.php Note 1 --> /modules/Journal/display.php Note 1 --> /modules/Journal/edit.php Note 1 --> /modules/Journal/friend.php Note 1 --> /modules/Journal/functions.php Note 1 --> /modules/Journal/index.php Note 1 --> /modules/Journal/modify.php Note 1 --> /modules/Journal/savenew.php Note 1 --> /modules/Journal/search.php Note 1 --> /modules/Members_List/index.php Note 1 --> /modules/News/article.php Note 1 --> /modules/News/associates.php Note 1 --> /modules/News/categories.php Note 1 --> /modules/News/comments.php Note 1 --> /modules/News/friend.php Note 1 --> /modules/News/index.php Note 1 --> /modules/News/print.php Note 3 --> /modules/Private_Messages/index.php Note 1 --> /modules/Recommend_Us/index.php Note 1 --> /modules/Reviews/index.php Note 1 --> /modules/Search/index.php Note 1 --> /modules/Sections/index.php Note 1 --> /modules/Statistics/index.php Note 1 --> /modules/Stories_Archive/index.php Note 1 --> /modules/Submit_News/index.php Note 1 --> /modules/Surveys/comments.php Note 1 --> /modules/Surveys/index.php Note 1 --> /modules/Top/index.php Note 1 --> /modules/Topics/index.php Note 1 --> /modules/Web_Links/index.php Note 5 --> /modules/Web_Links/voteinclude.php Note 1 --> /modules/Your_Account/index.php Note 1 --> /modules/Your_Account/navbar.php ** Some of PhpNuke's earlier versions contain the WebMail module which is also affected by this security weakness. Note 1: Vulnerabilty: Full path disclosure for servers not setup to check the main directory when a file is not located in the current directory otherwise the rest of the code is executed. Note 2: Vulnerability: Full path disclosure. File has no security check. Note 3: Vulnerability: Full path disclosure. Possibility of SQL injection IF the database abstraction layer can be executed while accessing this file. Note 4: Vulnerabilty: Full path disclosure or the code can be made to execute passing in proper variable values. File has no security check. Note 5: Vulnerabilty: Full path disclosure for servers not setup to check the main directory when a file is not located in the current directory otherwise the rest of the code is executed. File has no security check. Credits -- Module Developers: ---------------------------- Admin FAQ/Authors/AvantGo/Backup/Banners/Blocks/Comments/Content/ Download/Encyclopedia/Ephemerids/Groups/Links/Messages/Modules/ News/Newsletter/Polls/Recommend Us/Referers/Reviews/Search/Sections/ Settings/Statistics/Stories/Stories Archive/Submit News/Surveys/Top/ Topics/Users/Web Links: - Francisco Burzi (http://www.phpnuke.org) - chatserv (http://www.nukefixes.com) (http://www.nukeresources.com) Admin FAQ: - Richard Tirtadji AKA King Richard (http://www.nukeaddon.com) - Hutdik Hermawan AKA hotFix (http://www.nukeaddon.com) AvantGo: - Tim Litwiller (http://linux.made-to-order.net) Backup: - Thomas Rudant (http://www.grunk.net) (http://www.securite-internet.org) Comments: - Oleg [Dark Pastor] Martos (http://www.rolemancer.ru) Forums/Members List/Private Messages (PHPBB2 forums code ported to PHPNuke): - The phpBB Group (http://www.phpbb.com) - Tom Nitzschner (http://bbtonuke.sourceforge.net) (http://www.toms-home.com) - Paul Laudanski and his team from Computer Cops (http://www.computercops.biz) and NukeCops (http://www.nukecops.com/) "Official" PhpNuke Developers - chatserv (http://www.nukefixes.com) (http://www.nukeresources.com) Journal: - Joseph Howard (Member's Journal) - Trevor Scott (Atomic Journal) - Paul Laudanski and his team from Computer Cops (http://www.computercops.biz) and NukeCops (http://www.nukecops.com/) "Official" PhpNuke Developers Links: - James Knickelbein (http://www.journeymilwaukee.com) Optimize: - Xavier JULIE (http://www.securite-internet.org) - chatserv (http://www.nukefixes.com) (http://www.nukeresources.com) Reviews: - Jeff Lambert (http://www.qchc.com) Statistics: - Harry Mangindaan (http://www.nuketest.com) - Sudirman (http://www.nuketest.com) Web Links: - James Knickelbein (http://www.journeymilwaukee.com) Your Account: - Francisco Burzi (http://www.phpnuke.org) =========================================================================== ===========================================================================