TUCoPS :: Web :: PHP :: web4927.htm

PHPNuke error_reporting vulerability
18th Dec 2001 [SBWID-4927]
COMMAND

	PHPNuke error_reporting vulerability

SYSTEMS AFFECTED

	All versions

PROBLEM

	Aurelien Cabezon (http://www.isecurelabs.com) found following :
	

	As you know, there are  many  Cross  site  scripting  issue  on  Phpnuke
	modules and other web application using PHP.
	

	There is a cross site scripting issue cause :
	 [1] there is a lack to checks from user input in module.php

	 [2] PHP does not have a good deal with error reporting

	

	I  found  my  website  vulnerable  to  an  other  cross  site  scripting
	vulnerability, i thougt the problem was  in  XForum  (forum  module  for
	phpnuke) He was also, but it was too on the way that PHP  report  errors
	and deals with error messages.
	

	

	---Vulnerable line in module.php---

	include(\"modules/$name/$file.php\");

	---Vulnerable line in module.php---

	

	

	Exploit :
	

	http://host.com/modules.php?op=modload&name=XForum&file=[hostile javascript]&fid=2

	

	

	Hostile javascript could be :
	{script}alert(document.cookie);{/script} 

	that display your cookie. replace {} by <>
	

	This crafted url cause the  module.php  script  to  make  an  PHP  error
	reporting like this:
	

	

	---php error report---

	Warning: Failed opening \'modules/XForum/.php\' for inclusion

	(include_path=\'\') in /home/foo/htdocs/modules.php on line 27

	---php error report---

	

	

	When your browser display the error  reporting,  it  parses  the  hotile
	javascript too...

SOLUTION

	Aurelien Cabezon found an easy and fast way  to  fix  this  problem  and
	other cross site scripting issue  regarding  module.php  and  other  web
	application using PHP : Just turn off PHP error reporting and  wait  for
	a fix from PHP devel team :) The error_reporting function  should  check
	for bad inputs.
	

	

	Temp fix for phpnuke module.php:
	

	

	

	---start of module.php---

	error_reporting(0); //Add this line, Just turn off error_reporting

	

	//original file

	

	switch($op) {

	

	    case \"modload\":/

	 if (!isset($mainfile)) { include(\"mainfile.php\"); }

	 if (ereg(\"\\.\\.\",$name) || ereg(\"\\.\\.\",$file)) {

	     echo \"You are so cool\";

	     break;

	 } else {

	     include(\"modules/$name/$file.php\");

	 }

	 break;

	

	    default:

	 die (\"Sorry, you can\'t access this file directly...\");

	 break;

	

	}

	

	---end of module.php---

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH