De: <kill-9@modernhackers.com>
À: <bugtraq@securityfocus.com>
Objet: 3 phpnuke bugs (2 possibly lead to admin privs)
Date : samedi 4 août 2001 00:14

phpnuke (www.phpnuke.org) is an opensource 
webpage portal powers 
many websites on the net. Version 5.x of phpnuke 
does not properly 
check some variables, and is vulnerable to an attack 
that gives an 
intruder admin privileges. 

This is only possible if the intruder knows the 
database name that 
phpnuke is using, and the webserver must be able to 
connect to it 
without a password. Although It is very unlikely that 
these two 
circumstances will occur, but this is a bug still worth 
mentioning.

The versions 5.x of phpnuke include a new feature 
involving a variable 
named $prefix:

< Quote from phpnuke release >
"All database tables now has the nuke_ prefix to avoid 
conflicts with 
other scripts"
- New $prefix variable in config.php to setup multiple 
Nuke sites 
sharing one database"
</ End Quote >

The $prefix variable is defined in the config.php file 
and is set 
to 'nuke' by default. Along with a defualt database 
of 'nuke'.

< Sample default config.php file >
$dbhost = "localhost";
$dbuname = "root";
$dbpass = "";
$dbname = "nuke";
$system = 0;
$prefix = nuke;
</ End Sample >

An attacker can take advantage of this new feature by 
supplying a certian 
value for the $prefix variable and creating their own 
arbitrary sql query. 
In the article.php file this is most easily accomplished 
by bypassing the
inclusion of the mainfile.php and supplying a value for 
$sid and $tid.

(bypassing mainfile.php inclusion is important 
becuase mainfile.php itself 
includes config.php which has the variable definition 
for $prefix, and if 
$prefix is not defined then an attacker can supply her 
own value)

< sample code from article.php >
if(!isset($mainfile)) { include("mainfile.php"); }
if(!isset($sid) && !isset($tid)) { exit(); }
</ end sample code>

The flow of the program will then eventually enter the 
following sql query:

< example query from article.php >
mysql_query("UPDATE $prefix"._stories." SET 
counter=counter+1 where sid=$sid");
< / end example query >

So the following command will set all admin 
passwords to '1'. Given that 'nuke'
is the name of the phpnuke database.

article.php?
mainfile=1&sid=1&tid=1&prefix=nuke.authors%
20set%20pwd=1%23

##############
Dos possibility

In addition, I noticed that in file 'modules.php' there 
exists a possible 
Denial of service situation where an attacker could 
cause the file to recusively
include itself (or any php file on the system, because 
phpnuke does not check 
for '../') by using the following url:
 
http://site_name_with_phpnuke/modules.php?
op=modload&name=../&file=modules

Resources were consumed quickly in the tests that 
were performed.


##############
Another way to get admin

The fact that any .php file on the system can be 
included, means that if another
user has an account on the same machine that 
phpnuke is running on, he can cause
phpnuke to include his .php file ( if he chmod it to 
readable by everyone ) and
his own arbitrary code will run with permissions of the 
phpnuke user. This would
lead to easy administrative access of the portal , and 
access to any of the phpnuke
user's files.


by kill-9@modernhacker.com
http://www.modernhacker.com 