[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: PHP-Nuke 8.x <= Cross Site Request
From: Josh Bressers <bressers () redhat ! com>
Date: 2011-03-30 19:49:18
Message-ID: 898381623.286329.1301514558259.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]
Please use CVE-2011-1482.
Thanks.
--
JB
----- Original Message -----
> PHP-Nuke 8.x <= Cross Site Request Forgery (CSRF) / Anti-CSRF Bypass
> Vulnerability
>
>
>
> 1. OVERVIEW
>
> The PHP-Nuke version 8.x and lower versions are vulnerable to Cross
> Site Request Forgery (CSRF) because its Anti-CSRF mechanism (Referer
> Check) is found to be broken.
>
>
> 2. BACKGROUND
>
> PHP-Nuke is a Web Portal System or content management system. The goal
> of PHP-Nuke is to have an automated web site to distribute news and
> articles with users system. Each user can submit comments to discuss
> the articles. Main features include: web based admin, surveys, top
> page, access stats page with counter, user customizable box, themes
> manager for registered users, friendly administration GUI with graphic
> topic manager, option to edit or delete stories, option to delete
> comments, moderation system, Referrers page to know who link us,
> sections manager, customizable HTML blocks, user and authors edit, an
> integrated Banners Ads system, search engine, backend/headlines
> generation (RSS/RDF format), and many, many more friendly functions.
>
>
> 3. VULNERABILITY DESCRIPTION
>
> The PHP-Nuke version 8.x and lower versions contain a flaw that allows
> a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw
> exists because the application does not require multiple steps or
> explicit confirmation for sensitive transactions for majority of
> administrator functions such as adding new user, assigning user to
> administrative privilege. By using a crafted URL, an attacker may
> trick the victim into visiting to his web page to take advantage of
> the trust relationship between the authenticated victim and the
> application. Such an attack could trick the victim into executing
> arbitrary commands in the context of their session with the
> application, without further prompting or verification.
>
>
> 4. VERSIONS AFFECTED
>
> 8.0 and lower
>
> Tested version: 8.0
> The paid versions, 8.1 and 9.0, of PHP-Nuke may be vulnerable as well.
>
>
> 5. PROOF-OF-CONCEPT/EXPLOIT
>
> Consider the following code snippet in /mainfile.php of PHP-Nuke:
>
> //////////////////////////////////////////////////////////////////////////////
>
> 109 if(!function_exists('stripos')) {
> function stripos_clone($haystack, $needle, $offset=0) {
> $return = strpos(strtoupper($haystack),
> strtoupper($needle), $offset);
> if ($return === false) {
> return false;
> } else {
> return true;
> }
> }
> } else {
> // But when this is PHP5, we use the original function
> function stripos_clone($haystack, $needle, $offset=0) {
> $return = stripos($haystack, $needle, $offset=0);
> if ($return === false) {
> return false;
> } else {
> return true;
> }
> }
> 128 }
>
> ......
>
> 206 // Posting from other servers in not allowed
> 207 // Fix by Quake
> 208 // Bug found by PeNdEjO
>
> 210 if ($_SERVER['REQUEST_METHOD'] == "POST") {
> if (isset($_SERVER['HTTP_REFERER'])) {
> 212 if
> (!stripos_clone($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])) {
> die('Posting from another
> server not allowed!');
> }
> } else {
> die($posttags);
> }
> }
> //////////////////////////////////////////////////////////////////////////////
>
> It is clear that stripos_clone checks HTTP_REFERER value whether it
> matches the target domain or not.
> Attacker can easily bypass it by creating victim domain name under his
> web root folder like:
>
> http://attacker.in/victim.com/
>
> From there, he could effectively perform CSRF attacks against php-Nuke
> users.
>
> A short P0C demo video can be seen at
> http://yehg.net/lab/pr0js/training/view/misc/PHPNuke_8x_Anti-CSRF-Bypass/
>
>
> 6. SOLUTION
>
> Not Available.
> Use of this product is NOT recommended because of long lack of update
> and vendor negligence about security reports.
>
>
> 7. VENDOR
>
> PHP-Nuke Developers
> http://phpnuke.org/
>
>
> 8. CREDIT
>
> Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
>
>
> 9. DISCLOSURE TIME-LINE
>
> 2011-01-01: contacted author through emails
> 2011-01-25: contacted author through web site contact form
> 2010-03-23: no replies from author
> 2010-03-23: vulnerability disclosed
>
>
> 10. REFERENCES
>
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/[phpnuke-8.x]_cross_site_request_forgery
> CSRF Wiki:
> https://secure.wikimedia.org/wikipedia/en/wiki/Cross-site_request_forgery
> About PHP-Nuke: http://en.wikipedia.org/wiki/PHP-Nuke
> PHP-Nuke 8.0:
> http://phpnuke.org/modules.php?name=Downloads&d_op=getit&lid=658
> CWE-352: http://cwe.mitre.org/data/definitions/352.html
>
> #yehg [2010-03-23]
>
> keywords: php nuke, php-nuke, phpnuke, 8.0, 8.1, csrf
>
>
>
> ---------------------------------
> Best regards,
> YGN Ethical Hacker Group
> Yangon, Myanmar
> http://yehg.net
> Our Lab | http://yehg.net/lab
> Our Directory | http://yehg.net/hwd
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic