XSS and SQL injection bugs in 4nguestbook module for PhpNuke

[serverplan]

{================================================= ===============================}
{ [waraxe-2004-SA#007] }
{================================================= ===============================}
{ }
{ [ XSS and SQL injection bugs in 4nguestbook module for PhpNuke ] }
{ }
{================================================= ===============================}

Author: Janek Vind "waraxe"
Date: 15. March 2004
Location: Estonia, Tartu



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

>From developer's infofile:

4nGuestbook Version 0.92 (German & English & Finnish) for phpNUKE Version 6.5 - 6.9 (www.phpnuke.org)
By WarpSpeed (Marco Wiesler) (warpspeed@4thDimension.de) @ Sep/2oo3
http://www.warp-speed.de @ 4thDimension.de Networking

With this addon/module for phpNUKE you can offer a comfortable guestbook
to your users.

- Admin: Edit, delete and managing the guestbook entrys
- Admin: Generell Settings from Addon/Module
- Admin: Settings: Allow NB-Code, HTML or Smilies ...
- Admin: Settings: Only Members can post...
- Preview of entry
- Show IP or ID from poster (only for Admin)
- Full Multilanguage support
- And mutch more...



Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Cross-Site scripting aka XSS

Example:


http://localhost/nuke71/modules.php?...stbook&entry=x[xss%20code%20here]

Because PhpNuke will filter GET request for some symbols, it will be wise to use POST
request for exploiting.

Remark 1 - this XSS case is by standard classification sql injection bug,
but because the script will display mysql errors for any user (not only for admin), we can "convert"
the sql injection to xss.

Remark 2 - when MySql version 4.1 will be widely used in future, then many "not so useful" sql injections,
including this one, can be used with full power - because of the "subselects" feature, not available in
current MySql versions. Why? Because if we can inject malicious code to sql sentence after "ORDER BY" or
after "LIMIT", then in current MySql versions, all we can do, is to fail the sql request. No UNION-s etc.
But in version 4.1 we can have something like this - "ORDER BY desc ASC LIMIT (SELECT pwd FROM nuke_authors)...".



2. Sql injection

Not useful at all in this case, because we must have superadmin rights, but anyway - this bug needs to be fixed...

Example:

http://localhost/nuke71/admin.php?op...CT%20null%20/*

and we have sql error:

MySQL Error : Query Error
Error Number: 1222 The used SELECT statements have a different number of columns





Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ulljobu, djzone, raider and to all IT freaks in Estonia!

[serverplan]

{================================================= ===============================}
{ [waraxe-2004-SA#005] }
{================================================= ===============================}
{ }
{ [ XSS in Php-Nuke 7.1.0 - part 2 ] }
{ }
{================================================= ===============================}

Author: Janek Vind "waraxe"
Date: 15. March 2004
Location: Estonia, Tartu



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is popular freeware content management system, written in php by
Francisco Burzi. This CMS (COntent Management System) is used on many thousands
websites, because it`s free of charge, easy to install and has broad set of features.

Homepage: http://phpnuke.org



Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Through the history of the PhpNuke there has been lots of messages and announcments
about the Cross-Site Scripting aka XSS problems in this popular content management system.
Now PhpNuke has allready version number 7.1.0, but still we can't say, that it's secure
software. This advisory - "waraxe-2004-SA#005" - is meant to uncover some more XSS cases,
besides those published earlier by me in "waraxe-2004-SA#002".
So, let's begin...

1. http://localhost/nuke71/modules.php?name=Feedback

If we use in "Your Name" field the string:


"><body onload=alert(document.cookie);>


then we have XSS conditions. Same applies to email field.


2. http://localhost/nuke71/modules.php?...t&op=pass_lost

In "nicname" field we use "><body onload=alert(document.cookie);> and XSS is available.

Remark - you need to make custom form, because in the original html code there is
limited length of the "nicname" text field - 15 symbols.


3. http://localhost/nuke71/modules.php?name=Recommend_Us&op=SiteSent&fname=>[xss code here]

Remark - because the GET parameters are filtered in PhpNuke, we need to bukd custom html code
with proper form and then use POST parameters to complete the mission. By the way - even COOKIE
parameters can be used for this and it`s really handy, because COOKIE stuff get's rarely logged by
web server software. This applies to all XSS cases in PhpNuke, because the use of the code
"import_request_variables('GPC');" in the mainfile.php


4. http://localhost/nuke71/modules.php?name=Downloads&d_op=TopRated&ratenum=>[xss code here]&ratetype=x


5. http://localhost/nuke71/modules.php?...isp=showsearch

We can exploit the search field for implement the XSS.


Finally - if we use XSS, we can steal cookies, use them to pretend to be somebody else (authentication
bypass), and if the victim of the impersonating has admin rights in PhpNUke, then the entire website
is allready compromised...



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ulljobu, djzone, raider and to all IT freaks in Estonia!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"