Hosting generously provided by
|
|
Phpnuke module.php vulnerability and php error_reporting issue
|
From: =?iso-8859-1?Q?Cabezon_Aur=E9lien?= <aurelien.cabezon@isecurelabs.com>
To: <bugtraq@securityfocus.com>
Subject: [VulnWatch] Phpnuke module.php vulnerability and php error_reporting issue
[ Phpnuke module.php vulnerability and PHP error_reporting issue ]
on 16 december by Cabezon Aurlien | aurelien.cabezon@iSecureLabs.com
As you know, there are many Cross site scripting issue on Phpnuke modules
and other web application using PHP.
There is a cross site scripting issue cause :
[1] there is a lack to checks from user input in module.php
[2] PHP does not have a good deal with error reporting
I found my website vulnerable to an other cross site scripting
vulnerability, i thougt the problem was in XForum (forum
module for phpnuke)
He was also, but it was too on the way that PHP report errors and deals with
error messages.
---Vulnerable line in module.php--- include("modules/$name/$file.php");
---Vulnerable line in module.php---
Exploit :
http://host.com/modules.php?op=modload&name=XForum&file=[hostile
javascript]&fid=2
Hostile javascript could be : {script}alert(document.cookie);{/script} that
display your cookie.
replace {} by <>
This crafted url cause the module.php script to make an PHP error reporting
like this:
---php error report---
Warning: Failed opening 'modules/XForum/.php' for inclusion
(include_path='') in /home/foo/htdocs/modules.php on line 27
---php error report---
When your browser display the error reporting, it parses the hotile
javascript too...
I found an easy and fast way to fix this problem and other cross site
scripting issue regarding module.php and other web application using PHP :
Just turn off PHP error reporting and wait for a fix from PHP devel team :)
The error_reporting function should check for bad inputs.
Temp fix for phpnuke module.php:
---start of module.php---
error_reporting(0); //Add this line, Just turn off error_reporting
//original file
switch($op) {
case "modload":/
if (!isset($mainfile)) { include("mainfile.php"); }
if (ereg("\.\.",$name) || ereg("\.\.",$file)) {
echo "You are so cool";
break;
} else {
include("modules/$name/$file.php");
}
break;
default:
die ("Sorry, you can't access this file directly...");
break;
}
---end of module.php---
regards,
---
Cabezon Aurlien | aurelien.cabezon@iSecureLabs.com
http://www.iSecureLabs.com | French Security Portal
|
|
|
Information contained on this website may not be copied without explicit permission.
Best Viewed with Netscape.
|
|
|
Subscribe to CGISecurity.com
|
|
|
|
|
|
The Web Security Mailing List
|
|
|
|
|
Contact us
|
Post News, get linkage!
|
|
|
|
