phpNuke Vulnerable to Multiple Security Holes (Administrative Privileges, DoS)
5 Aug. 2001
Summary
phpNuke is an open source webpage portal that powers many websites on the net. phpNuke does not properly sanitize input variables, making it vulnerable to an attack that would give an intruder administrative privileges.
Credit:
The information has been provided by kill-9.
This vulnerability is only possible if the intruder knows the database name that phpNuke is using, and the web server must be able to connect to it (the database) without a password. Although it is very unlikely that these two circumstances will occur, this is a bug still worth mentioning.
phpNuke include a new feature involving a variable named $prefix:
< Quote from phpNuke release >
"All database tables now has the nuke_ prefix to avoid conflicts with other scripts"
- New $prefix variable in config.php to setup multiple Nuke sites sharing one database"
</ End Quote >
The $prefix variable is defined in the config.php file and is set to 'nuke' by default. Along with a default database of 'nuke'.
An attacker can take advantage of this new feature by supplying a certain value for the $prefix variable and creating their own arbitrary SQL query. In the article.php file this is most easily accomplished by bypassing the inclusion of the mainfile.php and supplying a value for $sid and $tid.
(Bypassing mainfile.php inclusion is important because mainfile.php itself includes config.php which has the variable definition for $prefix, and if $prefix is not defined then an attacker can supply her own value)
< sample code from article.php >
if(!isset($mainfile)) { include("mainfile.php"); }
if(!isset($sid) && !isset($tid)) { exit(); }
</ end sample code>
The flow of the program will then eventually enter the following SQL query:
< example query from article.php >
mysql_query("UPDATE $prefix"._stories." SET
counter=counter+1 where sid=$sid");
< / end example query >
So the following command will set all admin passwords to '1'. Given that 'nuke' is the name of the phpNuke database.
DoS condition:
In addition, in file 'modules.php' there is a possible denial of service situation where an attacker could cause the file to recursively include itself (or any PHP file on the system, because phpNuke does not check for '../') by using the following URL:
Resources were consumed quickly in the tests that were performed.
Another way to get administrator privileges:
The fact that any .php file on the system can be included, means that if another user has an account on the same machine that phpNuke is running on, he can cause phpNuke to include his .php file (if he chmod it to readable by everyone) and his own arbitrary code will run with permissions of the phpNuke user. This would lead to easy administrative access of the portal, and access to any of the phpNuke user's files.
