[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiples Full Path Disclosure in php-nuke 7.6 (and below)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiples Full Path Disclosure in php-nuke 7.6 (and below)
From: Luis Fernando <spiderkid@xxxxxxxxx>
Date: Fri, 29 Apr 2005 10:15:44 -0300
Multiples Full Path Disclosure in php-nuke 7.6 (and below)
---------------------------------------------------------------------------

Author: project-restart 
Date: 27. April 2005
Location: Brazil
Web: http://www.project-restart.org/
Target: PHP-nuke 7.6 (and below)

---------------------------------------------------------------------------
Target software description:
Php-Nuke is a popular opensource content management system, written in php by
Francisco Burzi. This CMS is used on many thousands websites, because it's 
freeware(7.7 no ÂÂ), easy to install and manage and has broad set of features.

Homepage: http://phpnuke.org
---------------------------------------------------------------------------

Vulnerabilities founds by luis <luis@xxxxxxxxxxxxxxxxxxx>

########################### Vuln1

File: includes/ipban.php
(http://localhost/nuke76/includes/ipban.php) 

-----------/includes/ipban.php--------------
15: global $prefix, $db;
16: $ip = $_SERVER["REMOTE_ADDR"];
17: $numrow = $db->sql_numrows($db->sql_query("SELECT id FROM
".$prefix."_banned_ip
                                                          WHERE
ip_address='$ip'"));
18: if ($numrow != 0) {
19:     echo "<br><br><center><img src='images\admin\ipban.gif'><br><br><b>You 
has 
                                     been banned by the
administrator</b></center>";
20:     die();
21: }
--------------------------------------------

Result:
Fatal error: Call to a member function on a non-object in
 /home/localhost/public_html/nuke76/includes/ipban.php on line 17

########################### Vuln2

File: db/db.php
(http://localhost/nuke76/db/db.php)

--------/db/db.php------------
49:switch($dbtype) {
50: case 'MySQL':
51: include("".$the_include."/mysql.php");#
52: break;
(...)
85: $db = new sql_db($dbhost, $dbuname, $dbpass, $dbname, false);
86: if(!$db->db_connect_id) {#
87: die("<br><br><center><img src=images/logo.gif><br><br><b>There
seems to be a problem with the MySQL server, sorry for the
inconvenience.<br><br>We should be back shortly.</center></b>");
88: }
-----------------------------

Result:
Fatal error: Cannot instantiate non-existent class: sql_db in 
/home/localhost/public_html/nuke76/db/db.php on line 86


########################### Vuln3
File: /modules/Reviews/language/lang-norwegian.php
(http://localhost/nuke76/modules.php?name=Reviews&newlang=norwegian)

--------/modules/Reviews/language/lang-norwegian.php--------------
52: define("_INVALIDTEXT","Feil i anmeldelsestekst... Feltet kan ikke
vÃÂre tomt\");
53: define("_INVALIDHITS","Treff mÃÂ vÃÂre en positiv integer");
-----------------------------------------------------------------

Result:
Parse error: parse error, unexpected T_STRING in 
/home/localhost/public_html/nuke76/modules/Reviews/language/lang-norwegian.php
on line 53

########################## Vuln4
File: /modules/Downloads/language/lang-greek.php
(http://localhost/nuke76/modules.php?name=Downloads&newlang=greek)

-------/modules/Downloads/language/lang-greek.php-----------
176: A-# define("_FILESIZE","ÃÅÃÂÃÂÃÂÃÂÃÂÃÂ 
ÃÂÃÂÃÂÃÂÃÅÃÂÃÂ");
177: A-# define("_VERSION","ÃÂÃÂÃÂÃÂÃÂÃÂ");
178: K-# define("_UDOWNLOADS","ÃÂÃÂÃÂÃÂÃÂÃÅÃÂÃÂÃ(c)ÃÂ");
179: A-# define("_HOMEPAGE","ÃÅÃÂÃÂÃÂÃÂÃ(c)ÃÂÃÅ 
Ã"ÃÂÃÂÃÅÃÂÃÂ ");
------------------------------------------------------------

This is a commentary?!
Result:
Parse error: parse error, unexpected ';' in 
/home/localhost/public_html/nuke76/modules/Downloads/language/lang-greek.php
on line 181

######################### Vuln 5
File: /modules/Downloads/language/lang-indonesian.php
(http://localhost/nuke76/modules.php?name=Downloads&newlang=indonesian)

------/modules/Downloads/language/lang-indonesian.php----
59: define("_DOWNLOADSNOTUSER8","<a
href=\"modules.php?name=Your_Account&">Daftar di sini</a>");
60: define("_DOWNLOADALREADYEXT","ERROR: Alamat URL sudah ada dalam database!");
---------------------------------------------------------

Resultando em:
Parse error: parse error, unexpected T_STRING in 
/home/localhost/public_html/nuke76/modules/Downloads/language/lang-indonesian.php
on line 59


---------------------------------------------------------------------------
(more)

Vulnerabilities founds by guilherme <guilherme@xxxxxxxxxxxxxxxxxxx>


########################### Vuln6

File: /modules/Web_Links/language/lang-portuguese.php

If called the module Web_Links with portuguese language,
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Web_Links&newlang=portuguese)

Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Web_Links/language/lang-portuguese.php
on line 171

---------/modules/Web_Links/language/lang-portuguese.php----------------

169: define("_REMOTEFORM","Forma de AvaliaÃÃo a DistÃncia");
170: define("_PROMOTE04","Se vocÃ nos enganar, nÃs removeremos seu
link. Temos dito
     isto, aqui como uma forma de avaliaÃÃo remota e
171: define("_VOTE4THISSITE","Vote neste Site!");
172: define("_LINKVOTE","Vote!");
----------------------------

########################### Vuln7

File: /modules/Web_Links/language/lang-indonesian.php

If called the module Web_Links with indonesian language,
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Web_Links&newlang=indonesian)

Parse error: parse error, unexpected T_STRING in
/home/localhost/public_html/nuke76/modules/Web_Links/language/lang-indonesian.php
on line 170

---------/modules/Web_Links/language/lang-indonesian.php----------------

169: define("_LOOKTOREQUEST","Kami akan memeriksa laporan anda.");
170: define("_ONLYREGUSERSMODIFY","Hanya member yang bisa meminta modifikasi 
      link. Silakan daftar atau login <a
href=\"/modules.php?name=Your_Account&">di sini</a>.");
171: define("_REQUESTLINKMOD","Permohonan Modifikasi Link Situs");
------------------------

########################### Vuln8

File: /modules/Surveys/language/lang-indonesian.php 

If called the module Surveys with indonesian language, 
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Surveys&newlang=indonesian)

Parse error: parse error, unexpected T_STRING in 
/home/localhost/public_html/nuke76/modules/Surveys/language/lang-indonesian.php
on line 40

---------/modules/Surveys/language/lang-indonesian.php----------------
39: define("_NOSUBJECT","Tanpa Subjek");
40: define("_NOANONCOMMENTS","Anda tidak dibolehkan mengirim komentar, 
    silakan daftar <a href=\"modules.php?name=Your_Account&">di sini</a>");
41: define("_PARENT","Setingkat ke atas");
------------------------------


########################### Vuln9

File: /modules/Reviews/language/lang-portuguese.php

If called the module Reviews with portuguese language, 
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Reviews&newlang=portuguese)

Parse error: parse error, unexpected T_STRING in 
/home/localhost/public_html/nuke76/modules/Reviews/language/lang-portuguese.php
on line 89

---------/modules/Reviews/language/lang-portuguese.php----------------
88: define("_YOURNICK","O seu nome:");
89: define("_RCREATEACCOUNT","<a
href="modules.php?name=Your_Account&op=new_user\"><b>Crie</b></a> uma
conta");
87: define("_YOURCOMMENT","O seu comentÃrio:");
-----------

########################### Vuln10

File: /modules/Journal/language/lang-portuguese.php

If called the module Journal with portuguese language, 
it returns the way from the archive in the server.

(http://localhost/nuke76/modules.php?name=Journal&newlang=portuguese)

Parse error: parse error, unexpected T_STRING in 
/home/localhost/public_html/nuke76/modules/Journal/language/lang-portuguese.php
on line 31

---------/modules/Journal/language/lang-portuguese.php----------------
29: define("_ADDJOURNAL","Adicionar uma entrada no diÃrio");
30: define("_ADDENTRY","Adicionar uma nova entrada);
31: define("_YOURLAST20","As suas 20 entradas");
-----------------------

---------------------------------------------------------------------------
How to fix:
http://www.project-restart.org

---------------------------------------------------------------------------

TimeLine:
25/04/2005 - php-nuke install into our server (downloaded default 7.6
from phpnuke.org)
26/04/2005 - Luis found the firsts vulns and begin find more
27/04/2005 - Guilherme found many vulns into language files
28/04/2005 - Luis see all language files and found more vulns
29/04/2005 - report sent and vendor contacted

Contact:
---------------------------------------------------------------------------

Luis (22) - luis@xxxxxxxxxxxxxxxxxxx
Guilherme (GBR) - guilherme@xxxxxxxxxxxxxxxxxxx
Rodrigo (digÃo) - rodrigo@xxxxxxxxxxxxxxxxxxx

Homepage: http://www.project-restart.org/

That God mercy our soul!

(Ps. Sorry our bad english, we are Brazilians boys, =D)
Prev by Date: MDKSA-2005:080 - Updated libxpm4 packages fix libXpm vulnerabilities
Next by Date: MDKSA-2005:079 - Updated perl packages to fix rmtree vulnerability
Previous by thread: MDKSA-2005:080 - Updated libxpm4 packages fix libXpm vulnerabilities
Next by thread: MDKSA-2005:079 - Updated perl packages to fix rmtree vulnerability
Index(es):
- Date
- Thread