Archivio

Archivio per 23 dicembre 2002

Vulnerabilit? in PHP-nuke 6

23 dicembre 2002 Commenti chiusi

Esiste la possibilit? di utilizzare un qualsiasi sito in cui sia installato PHP-NUKE 6.0 per mandare mail HTML a qualsiasi destinatario. (qui trovate i dettagli)

Per risolvere il problema patchate (per il momento a manina) alcuni file dell’installazione di PHP-Nuke secondo le istruzioni che trovate proseguendo nella lettura dell’articolo …

Scopo del gioco:
inserire le righe precedute dal segno + all’interno dei file indicati (il nome del file ? preceduto da +++).
Per sapere da quale riga parte il pezzo di codice citato fare riferimento al numero compreso tra i due @@
Buon Hacking


--- html/mainfile.php.old Thu Dec 19 19:17:10 2002
+++ html/mainfile.php Thu Dec 19 19:24:00 2002
@@ 870 @@
     return($ThemeSel);
 }

+#
+# Security fix
+# Ulf Harnhammar, VSU Security 2002
+#
+
+function removecrlf($str) {
+    return strtr($str, "1512", '  ');
+}
+
?>
--- html/modules/Feedback/index.php.old Thu Dec 19 19:26:44 2002
+++ html/modules/Feedback/index.php Thu Dec 19 19:28:34 2002
@@ 69 @@
  $send = "no";
     }
     if ($send != "no") {
+ $sender_name = removecrlf($sender_name); # Security fix
+ $sender_email = removecrlf($sender_email);
  $msg = "$sitename

";
  $msg .= ""._SENDERNAME.": $sender_name
";
  $msg .= ""._SENDEREMAIL.": $sender_email
";
--- html/modules/Journal/friend.php.old Thu Dec 19 21:23:27 2002
+++ html/modules/Journal/friend.php Thu Dec 19 21:25:22 2002
@@ 38 @@
 list ($jtitle) = sql_fetch_row($result, $dbi);

 if ($send == 1) {
+    $fname = removecrlf($fname); # Security fix
+    $fmail = removecrlf($fmail);
+    $yname = removecrlf($yname);
+    $ymail = removecrlf($ymail);
+
     $subject = ""._INTERESTING." $sitename";
     $message = ""._HELLO." $fname:

"._YOURFRIEND." $yname "._CONSIDERED."

$jtitle
"._URL.": $nukeurl/modules.php?name=$module_name&file=display&jid=$jid

"._AREMORE."

---
$sitename
$nukeurl";
     mail($fmail, $subject, $message, "From: "$yname" <$ymail>
X-Mailer: PHP/" . phpversion());
--- html/modules/News/friend.php.old Thu Dec 19 20:05:53 2002
+++ html/modules/News/friend.php Thu Dec 19 20:16:24 2002
@@ 50 @@
 function SendStory($sid, $yname, $ymail, $fname, $fmail) {
     global $sitename, $nukeurl, $prefix, $dbi, $module_name;

+    $fname = removecrlf($fname); # Security fix
+    $fmail = removecrlf($fmail);
+    $yname = removecrlf($yname);
+    $ymail = removecrlf($ymail);
+
     $result2=sql_query("select title, time, topic from ".$prefix."_stories where sid=$sid", $dbi);
     list($title, $time, $topic) = sql_fetch_row($result2, $dbi);

--- html/modules/Recommend_Us/index.php.old Thu Dec 19 20:00:45 2002
+++ html/modules/Recommend_Us/index.php Thu Dec 19 20:02:45 2002
@@ 45 @@

 function SendSite($yname, $ymail, $fname, $fmail) {
     global $sitename, $slogan, $nukeurl, $module_name;
+    $fmail = removecrlf($fmail); # Security fix
+    $yname = removecrlf($yname);
+    $ymail = removecrlf($ymail);
     $subject = ""._INTSITE." $sitename";
     $message = ""._HELLO." $fname:

"._YOURFRIEND." $yname "._OURSITE." $sitename "._INTSENT."

"._FSITENAME." $sitename
$slogan
"._FSITEURL." $nukeurl
";
     mail($fmail, $subject, $message, "From: "$yname" <$ymail>
X-Mailer: PHP/" . phpversion());
VN:F [1.9.11_1134]
Rating: 0.0/5 (0 votes cast)
Categorie:Patch Tag: