Thursday, May 14, 2009

PHP Nuke v.8.0 Directory Traversal

Author: Gerendi Sandor Attila
Date: May 04, 2009
Package: PHP-Nuke
Product homepage: http://phpnuke.org/
Versions Affected: v.8.0 (Other versions may also be affected)
Severity: High

The cookie parameter "lang" in "/modules.php" is vulnerable to directory traversal attacks and possibly to arbitrary code inclusion/execution.

Description:
In the mainfile.php we have (lines 3316-333):

if (isset($newlang) AND !stripos_clone($newlang,".")) {
if (file_exists("language/lang-".$newlang.".php")) {
setcookie("lang",$newlang,time()+31536000);
include_once("language/lang-".$newlang.".php");
$currentlang = $newlang;
} else {
setcookie("lang",$language,time()+31536000);
include_once("language/lang-".$language.".php");
$currentlang = $language;
}
} elseif (isset($lang)) {
include_once("language/lang-".$lang.".php");
$currentlang = $lang;
} else {
setcookie("lang",$language,time()+31536000);
include_once("language/lang-".$language.".php");
$currentlang = $language;
}
now look at this statement: include_once("language/lang-".$lang.".php"); on Windows we can use as base for directory manipulation nonexistent file names. So assume we have c:\somefile.php and our web server is also installed somewhere on c:\, inserting something like:
/../../../../../../../../../somefile.php
will result in:
include_once('language/lang-/../../../../../../../../../somefile.php');
and the file will be included correctly.

Status:
1. Contacted the author at: May 04, 2009 via: http://phpnuke.org/modules.php?name=Feedback
2. No response where given (May 14 2009).
3. According to Evaders99 this vulnerability was already reported in 2007 (http://secunia.com/advisories/24484/), thanks for the update. Still the downloadable v.8.0 was vulnerable.

1 comment:

  1. This seems to be a duplicate of
    http://secunia.com/advisories/24484/

    Patched files up to phpNuke 7.8 are correct. I've added the addendum here with code changes to Patched 7.9/8.0/8.1

    http://evaders.swrebellion.com/forums/posts65-0.html

    ReplyDelete