Another bogus security warning?

Posted: Tue Mar 25, 2003 11:59 am

It has been brought to my attention that BugTrack has sent emails to subscribers about a viewpage.php file in PHP-Nuke that allows anyone to view any file on the server, i have yet to find this file, anyone have better luck?

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

chatserv wrote:

It has been brought to my attention that BugTrack has sent emails to subscribers about a viewpage.php file in PHP-Nuke that allows anyone to view any file on the server, i have yet to find this file, anyone have better luck?

I can't find it in 6.5, however, if you do a google search on "viewpage phpnuke" (no quotes though) you will get back several hits where there is a /somesite/viewpage.php?file=... urls. That appears to be the exploit potential. Shocked

Major Joined: Jan 13, 2003 Posts: 892

I haven't read the emails yet but if thats the case they they need to improve the verification before releasing reports. I heard if you are on a Nuke site and find a picture of SpongeBob you can click it and get 3 wishes bestoed apon you by a genie. Razz

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

I don't have a copy of version 5.x nuke. Is it in there perchance?

Major Joined: Jan 13, 2003 Posts: 892

NukeStyles Custom About Us module?? Or ??

Major Joined: Jan 13, 2003 Posts: 892

frogmans posted a patch for banners.php anyone checked this out yet?

Posted: Tue Mar 25, 2003 1:50 pm

It basically adds the following to the start of the file

Code:

$cid=addslashes($cid);
$login=addslashes($login);

Major Joined: Jan 13, 2003 Posts: 892

Dang that is loose and wild. Good find there Dogman guess you have to use ESP to make sense of the bugtraq posts on this.

Nuke Soldier Joined: Feb 10, 2003 Posts: 20 Location: USA

Is there a security problem with the viewpage.php file????? Man, I sure hope not...

Please let me know as soon as possible, and I will post a fix or patch or something on phpnuke.org and my site as well... I wouldn't want to be the cause of some freaking hacking up peoples websites.

Thanks,

Shawn
http://www.NukeStyles.com

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

NukeStyles wrote:

Is there a security problem with the viewpage.php file????? Man, I sure hope not...

Please let me know as soon as possible, and I will post a fix or patch or something on phpnuke.org and my site as well... I wouldn't want to be the cause of some freaking hacking up peoples websites.

Thanks,

Shawn
http://www.NukeStyles.com

Yes sir, unfortunately. If that snippet up above exists, by placing viewpage.php?file=/etc/passwd Twisted Evil

Nuke Soldier Joined: Feb 10, 2003 Posts: 20 Location: USA

Well hell... what should I do then? Tell everyone to ditch the file? Or is there a fix somewhere???

Damn! Sad

Any help would be appreciated... I'm still a noob to php kinda, and not good with security as these cops are...

Shawn

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

NukeStyles wrote:

Well hell... what should I do then? Tell everyone to ditch the file? Or is there a fix somewhere???

Damn! Sad

Any help would be appreciated... I'm still a noob to php kinda, and not good with security as these cops are...

Shawn

Well, I have no idea what your scripts do Sad

. Most scripts that have this kind of code do not allow a / to be prepended to the filename. Some restrict to the current directory by prepending a ./ . Others make sure no ../ or ./ is allowed. If I was familiar with your scripts I could be more definitive.

You might also read this:
http://www.php.net/manual/en/security.filesystem.php

Major Joined: Jan 13, 2003 Posts: 892

Add slashes would help with the path being added but you will most likely find it better to do something like this too. Not tested no clue what the script does other then open a file. Maybe chatserv, ZX or AI would have a better informed suggestion. Anyway it doesn't appear to be any validation of what $file is so you need to filter user input somehow.
include strip_tags(add_slashes(check_html(($file, nohtml))));

Overkill??????

Posted: Tue Mar 25, 2003 3:28 pm

Without trying to make any bad comments about NukeStyle's scripts i find it unfair for them to categorize this as a PHP-Nuke problem - period - If they did mention it was part of a third party addon then it would be ok but chances are they didn't thus making it look as if FB had another bug on his program.

Now regarding that code, NukeStyles, on which of your scripts is that present? on all? The way it is written now it is making a generic call to a $file variable which could be made to pass the variable as any file, i would guess some checking should be added to the snippet to limit the files it can access or the directory to which it is authorized to access, i believe you'll be able to get a few suggestions right here.

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

The posters to Bugtraq did not. I sent a reply to the latest poster (2 hours ago) but it hasn't (yet) been posted. I suggested that very possibility - asking him if he was sure he wasn't using an addon.