|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 420 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Yet Another XSS Vulnerability in PHP-Nuke |
|
 Anonymous writes "Forward from bugtraq:
-------------------------------------------
Affected Versions:
PHP Nuke versionh 6.0 and below
Unaffected version:
PHP Nuke 6.5
Impact:
-------------------------------------------
Allows any user to inject their own HTML or Java code instead of an avatar
image. This can lead to very annoying forum posts, and the usual XSS tricks."
|
|
Posted on Tuesday, February 04 @ 01:23:09 CET by [RETIRED]chatserv |
|
|
|
|
| |
|
Average Score: 1
Votes: 1
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Yet Another XSS Vulnerability in PHP-Nuke (Score: 1)
by Zhen-Xjell on Tuesday, February 04 @ 04:29:44 CET
(User Info | Send a Message) http://castlecops.com | | Hi and thanks for posting. I have confirmed the exploit *does work* on PHP-Nuke 6.5 so all versions are susceptible. And of course I immediately fixed it for both Nuke 5.6 and 6.5 but only if the phpbb2 forums are used. I'll be issuing a release today. |
| | | | |
Re: Yet Another XSS Vulnerability in PHP-Nuke (Score: 1)
by Zhen-Xjell on Tuesday, February 04 @ 05:01:37 CET
(User Info | Send a Message) http://castlecops.com | I made the following changes. Left arrow is the changed secured file whereas the right one is the unmodified NUke 6.5 beta 5 file. Make the changes to the Your_Account/index.php file. Basically instances of user_avatar were removed.
751c749
function saveuser($realname, $email, $femail, $url, $user_avatar, $newsletter, $user_icq, $user_aim, $user_yim, $user_msnm, $user_from, $user_occ, $user_intrest, $user_sig, $bio, $pass, $vpass, $uname, $uid, $attach) {
775c773
sql_query("UPDATE ".$user_prefix."_users SET name='$realname', email='$email', femail='$femail', url='$url', pass='$pass', bio='$bio' , user_icq='$user_icq', user_occ='$user_occ', user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', newsletter='$newsletter' WHERE uid='$uid'");
---
> $db->sql_query("UPDATE ".$user_prefix."_users SET name='$realname', email='$email', femail='$femail', url='$url', pass='$pass', bio='$bio' , user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ', user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', newsletter='$newsletter' WHERE uid='$uid'");
786c784
sql_query("UPDATE ".$user_prefix."_users SET name='$realname', email='$email', femail='$femail', url='$url', bio='$bio', user_icq='$user_icq', user_occ='$user_occ', user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', newsletter='$newsletter' WHERE uid='$uid'");
---
> $db->sql_query("UPDATE ".$user_prefix."_users SET name='$realname', email='$email', femail='$femail', url='$url', bio='$bio', user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ', user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', newsletter='$newsletter' WHERE uid='$uid'");
1174c1172
saveuser($realname, $email, $femail, $url, $user_avatar, $newsletter, $user_icq, $user_aim, $user_yim, $user_msnm, $user_from, $user_occ, $user_intrest, $user_sig, $bio, $pass, $vpass, $uname, $uid, $attach);
1223c1221
---
> ?>
For Nuke 5.6 the same thing was done. After I did this, I retested with the exploitable code and was unable to save anything to the user_avatar. |
Re: (Score: 0)
by Anonymous on Tuesday, February 04 @ 05:27:15 CET | All I did was alter modules/Your_Account/index.php after:
if (!eregi("modules.php", $PHP_SELF)) {
die ("You can't access this file directly...");
}
I added:
if (isset($user_avatar)){
$user_avatar = mysql_escape_string(htmlspecialchars(stripslashes($user_avatar)));
}
The avatars are kept and the worst a kiddie could do is make their own avatar a broken image. No more XSS. |
]
Re: (Score: 1)
by Zhen-Xjell on Tuesday, February 04 @ 05:30:34 CET
(User Info | Send a Message) http://castlecops.com | | Thank goodness you posted that. I've been working on mod_rewrite for the forums for about two days now and the simple things are evading my right now. |
]
Re: (Score: 0)
by Anonymous on Tuesday, February 04 @ 05:40:48 CET | Note: A more elegant fix would be better. Standard variable input validation used throughout the core code would cut down drastically on these XSS exploits. What I posted above was just the quickest thing I could get up to my site to remove the vulnerability.
If I knew regex's better I'd just match against a valid image file name [else unset($user_avatar)]. Shouldn't be tough. |
]
]
Re: (Score: 1)
by sixonetonoffun (sixonetonoffun@spammenot.com) on Tuesday, February 04 @ 09:49:58 CET
(User Info | Send a Message) | I failed make this expliot work but will add the avatar patch just to be sure. I've used every published patch n filter I can find though lol. ie http://computercops.biz
http://phpsecure.org
and
http://www.panoo.fr.tc/
Is it just me or has the patch FB released today slowing nuke down some??? |
]
]
Re: (Score: 1)
by sixonetonoffun (sixonetonoffun@spammenot.com) on Tuesday, February 04 @ 21:26:49 CET
(User Info | Send a Message) | Yeah I ran a quick bandwidth test my connection was ugly. So guess the answers yep it was just me!!!!!!! :oP
~Peter |
]
| | | | |
Re: Yet Another XSS Vulnerability in PHP-Nuke (Score: 0)
by Anonymous on Tuesday, February 04 @ 17:41:50 CET | A follow up from bugtraq:
This is a follow up to my original email..
First of all i just want to add, that with this vulnerability, it is
possible to change other user's avatars to either text, or to different
images. all you need to find out is their UID and username.
And also i came up with this solution for the problem..
In modules/Your_Account in php nuke, open up index.php. Search for
"saveuser" you should get to a function that looks liek this..
(should be around line 740)
function saveuser($uid, $realname, $uname, $email, etc...
right underneath the function call, put this in..
$referer = getenv("HTTP_REFERER");
$nukeurl="http://digital-delusions.com";
$nukeurl2="http://digital-delusions.dyn.ee";
$nukeurl3="http://192.168.0.254";
if (substr("$referer",0,strlen($nukeurl))==$nukeurl OR
substr("$referer",0,strlen($nukeurl2))==$nukeurl2 OR
substr("$referer",0,strlen($nukeurl3))==$nukeurl3) {
this code will check where the request is coming from, and if it is coming
from your site, then it will let the function continue.. Notice i have 3
$nukeurl variables, this is because those are the 3 different url's requests
can come form. So make sure u change my URLs to your site's urls.
Then, go down to the end of the function.. (ends with a "}")
should look somethign liek this..
[...]
Header("Location: modules.php?name=$module_name");
}
}
}
before the last "}"
paste this..
} else {
echo "delusion ownz j00";
}
make sure u keep all the {}'s in their correct places, dont remove any. and
of course you can change the message to whatever you want ;)
Have fun,
-delusion
http://www.digital-delusions.com
|
Re: (Score: 1)
by Zhen-Xjell on Tuesday, February 04 @ 19:02:09 CET
(User Info | Send a Message) http://castlecops.com | | The problem with that implementation is that HTTP_REFERER can be fixed very easily using Proxomitron. Thereby referer check is rendered useless. |
]
| | | | | |
