Computer Security

Security Advisory: PHP-Nuke <= 8.0 Cookie Manipulation (lang)
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  GaziYapBoz Game Portal Remote SQL Injection Vulnerability

  PostGuestbook 0.6.
1(tpl_pgb_moddir)
Remote File Include Expliot

  netForo 0.
1g(file_to_downlo
ad)Remote File Disclosure Exploit

  Security Advisory - Multiple Vulnerabilities in Grayscale Blog 0.8.0

From:programmer_(at)_serbiansite.com <programmer_(at)_serbiansite.com>
Date:10.03.2007
Subject:PHP-Nuke <= 8.0 Cookie Manipulation (lang)

/////////////////////////////////////////////////////////////////////////////////
////////////////////
PHPNuke <= 8.0 Cookie Manipulation (lang)

PROGRAM: PHP-Nuke
HOMEPAGE: http://phpnuke.org/
VERSION: All version
BUG: Cookie Manipulation (lang) (SQL Injection + Local file include)
AUTHOR: Aleksandar aka sale83

/////////////////////////////////////////////////////////////////////////////////
//////////////////////
PHP.ini
Magic Quotes  = OFF
/////////////////////////////////////////////////////////////////////////////////
/////////////////////
PHP-Nuke - >Preferences - > Multilingual Options-> On (Activate Multilingual features?  = YES)
/////////////////////////////////////////////////////////////////////////////////
////////////////////

Bug is found in mainfile.php line 327.

// Line 327 Bug is here
} elseif (isset($lang)) {
       include_once("language/lang-".$lang.".php"); // This can be exploited by malicious users: ex: /../../robots.txt%00 Multilingual Options=OFF
       $currentlang = $lang; // This can be exploited by malicious users. ex:SQL Injection in Top and News Module ($currentlang) Multilingual Options = On
} else {

/////////////////////////////////////////////////////////////////////////////////
////////////////

This flaw is due to an error when handling the "lang" cookie parameter, which could be exploited by malicious users because $lang is not filtered.


Tested On:
Windows XP
Linux SlackWare 10.2
PHP Version 5.1.4
PHPNuke 8.0 ,7.9,7.6
Magic Quotes = OFF
Firefox  2 + Add N Edit Cookies Add-ons


/////////////////////////////////////////////////////////////////////////////////
////////////////
Patch:

} elseif (isset($lang)) {
  if (eregi('[A-Za-z]', $lang)) {
     if (file_exists("language/lang-".$lang.".php")) {
              include_once("language/lang-".$lang.".
php");
               $currentlang = $lang;
           }else {
                 include_once("language/lang-english.php");
                       $currentlang = "english";
               }
         }else {
          include_once("language/lang-english.php");
          $currentlang = "english";
         }
} else {

/////////////////////////////////////////////////////////////////////////////////
////////////////
Best Regards
Aleksandar
Programmer and Web Developer
/////////////////////////////////////////////////////////////////////////////////
//////////////
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru