Error Manager sploit

{=============================================================================== =} { [waraxe-2004-SA#010] } {=============================================================================== =} { } { [ Multiple vulnerabilities in Error Manager v2.1 for PhpNuke ] } { } {=============================================================================== =} Author: Janek Vind "waraxe" Date: 18. March 2004 Location: Estonia, Tartu Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >From developer's readme file: This Error Manager is made by Gijza.net The idea came from DR3N.tk This addon is made for PHP-NUKE 6.0. but may work for other versions Admin CP is also included in this version. For the latest version go to www.gijza.net Vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Full path disclosure Let's look at original code: //language if( isset( $newlang ) ) { include( "language/error/lang-$newlang.php" ); $language = $newlang; } elseif ( isset( $lang ) ) { include( "language/error/lang-$lang.php" ); $language = $lang; } else { include( "language/error/lang-$language.php" ); } So - nothing will stop us to request this php file directly and this can lead to standard php error messages, revealing us the full path to error.php file: http://localhost/nuke71/error.php?newlang=foobar Warning: main(language/error/lang-foobar.php): failed to open stream: No such fi le or directory in D:\apache_wwwroot\nuke71\error.php on line 19 2. Cross-Site Scripting aka XSS Again, let's look at original code: if ($error == 401) { $pagetitle = "- "._EM401.""; } if ($error == 403) { $pagetitle = "- "._EM403.""; } if ($error == 404) { $pagetitle = "- "._EM404.""; } if ($error == 500) { $pagetitle = "- "._EM500.""; } This is traditionally coded by using the "switch/case" language constructions, b ut for some reason the author uses there "if/if/if/..." construction, not even "if/ elseif/elseif/else". And we can see, that if variable $error is not the 401, 403, 404 or 500, but som ething else, then we can UNINITIALIZED $pagetitle set to any value. This will lead of course to X SS conditions: http://localhost/nuke71/error.php?pagetitle=[xss code here] One more way to XSS exploiting: http://localhost/nuke71/error.php?error=>[xss code here] As with all the PhpNuke XSS cases, using of the POST parameters or even better - COOKIE parameters - will be preffered, because the GET parameters are strictly filtered in mainfile. php . 3. Script injection to error log (nasty one!) This one is my favourite bug. I mean - Error Manager is suppose to log the error conditions in web server and therefore admin can find potential bugs on site and of course this logging f eature will reveale to admin many (unsuccessful) attacks by "bad guys". It's shame, but it's true - err or logging in Error Manager will log referer, request URI , etc, but WITHOUT ANY sanityze against html tags ;) So we can inject any javascript code to error log and when admin will browse the logs, the website can be compromised - for example cookies can be stealed, additional superadmin accounts can be created without the knowledge of the admin (refference to [waraxe-2004-SA#008 - easy way to get supe radmin rights in PhpNuke 6.x-7.1.0]) etc ... So, there is an attack scenario: Write the html file like this one - Error Manager sploit

Use it aginst victim server and then just wait, till admin reads the error log a nd then login to your brand new superadmin account ;) Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greets to torufoorum staff and to all IT security related people in Estonia! Tervitused! Special greets to ulljobu! Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" ---------------------------------- [ EOF ] ------------------------------------