COMMAND

    phpnuke

SYSTEMS AFFECTED

    phpnuke 5.x

PROBLEM

    'kill-9'  found  following.   phpnuke  is  an  opensource  webpage
    portal powers many  websites on the  net.  Version  5.x of phpnuke
    does not properly  check some variables,  and is vulnerable  to an
    attack that gives an intruder admin privileges.

    This is  only possible  if the  intruder knows  the database  name
    that phpnuke is using, and  the webserver must be able  to connect
    to  it  without  a  password.   Although  it is very unlikely that
    these two circumstances will occur, but this is a bug still  worth
    mentioning.

    The versions  5.x of  phpnuke include  a new  feature involving  a
    variable named $prefix:   "All database tables  now has the  nuke_
    prefix  to  avoid  conflicts  with  other  scripts...  New $prefix
    variable in config.php  to setup multiple  Nuke sites sharing  one
    database".

    The $prefix variable is defined in the config.php file and is  set
    to 'nuke' by default.  Along with a defualt database of 'nuke'.

    Sample default config.php file:

        $dbhost = "localhost";
        $dbuname = "root";
        $dbpass = "";
        $dbname = "nuke";
        $system = 0;
        $prefix = nuke;

    An attacker can take advantage of this new feature by supplying  a
    certian  value  for  the  $prefix  variable and creating their own
    arbitrary sql query.  In the article.php file this is most  easily
    accomplished by  bypassing the  inclusion of  the mainfile.php and
    supplying a value for $sid and $tid.

    (bypassing   mainfile.php   inclusion    is   important    becuase
    mainfile.php  itself  includes  config.php  which has the variable
    definition for  $prefix, and  if $prefix  is not  defined then  an
    attacker can supply her own value)

    Sample code from article.php:

        if(!isset($mainfile)) { include("mainfile.php"); }
        if(!isset($sid) && !isset($tid)) { exit(); }

    The flow of the program  will then eventually enter the  following
    sql query (example query from article.php):

        mysql_query("UPDATE $prefix"._stories." SET
        counter=counter+1 where sid=$sid");

    So the  following command  will set  all admin  passwords to  '1'.
    Given that 'nuke' is the name of the phpnuke database.

        article.php?
        mainfile=1&sid=1&tid=1&prefix=nuke.authors%20set%20pwd=1%23

    In  addition,  it  was  noticed  that  in file 'modules.php' there
    exists a possible  Denial of service  situation where an  attacker
    could cause  the file  to recusively  include itself  (or any  php
    file on the system, because  phpnuke does not check for  '../') by
    using the following url:

        http://site_name_with_phpnuke/modules.php?op=modload&name=../&file=modules

    Resources were consumed quickly in the tests that were performed.

    The fact that any .php file  on the system can be included,  means
    that  if  another  user  has  an  account on the same machine that
    phpnuke is running  on, he can  cause phpnuke to  include his .php
    file  (if  he  chmod  it  to  readable  by  everyone)  and his own
    arbitrary  code  will  run  with  permissions of the phpnuke user.
    This would lead to easy  administrative access of the portal,  and
    access to any of the phpnuke user's files.

SOLUTION

    Nothing yet.