Multiples Full Path Disclosure in php-nuke 7.6 (and below)--------------------------------------------------------------------------- Author: project-restart Date: 27. April 2005Location: BrazilWeb: http://www.project-restart.org/Target: PHP-nuke 7.6 (and below) ---------------------------------------------------------------------------Target software description:Php-Nuke is a popular opensource content management system, written in php byFrancisco Burzi. This CMS is used on many thousands websites, because it's freeware(7.7 no ÂÂ), easy to install and manage and has broad set of features. Homepage: http://phpnuke.org--------------------------------------------------------------------------- Vulnerabilities founds by luis <luis@xxxxxxxxxxxxxxxxxxx> ########################### Vuln1 File: includes/ipban.php(http://localhost/nuke76/includes/ipban.php) -----------/includes/ipban.php--------------15: global $prefix, $db;16: $ip = $_SERVER["REMOTE_ADDR"];17: $numrow = $db->sql_numrows($db->sql_query("SELECT id FROM".$prefix."_banned_ip WHEREip_address='$ip'"));18: if ($numrow != 0) {19: echo "<br><br><center><img src='images\admin\ipban.gif'><br><br><b>You has been banned by theadministrator</b></center>";20: die();21: }-------------------------------------------- Result:Fatal error: Call to a member function on a non-object in /home/localhost/public_html/nuke76/includes/ipban.php on line 17 ########################### Vuln2 File: db/db.php(http://localhost/nuke76/db/db.php) --------/db/db.php------------49:switch($dbtype) {50: case 'MySQL':51: include("".$the_include."/mysql.php");#52: break;(...)85: $db = new sql_db($dbhost, $dbuname, $dbpass, $dbname, false);86: if(!$db->db_connect_id) {#87: die("<br><br><center><img src=images/logo.gif><br><br><b>Thereseems to be a problem with the MySQL server, sorry for theinconvenience.<br><br>We should be back shortly.</center></b>");88: }----------------------------- Result:Fatal error: Cannot instantiate non-existent class: sql_db in /home/localhost/public_html/nuke76/db/db.php on line 86 ########################### Vuln3File: /modules/Reviews/language/lang-norwegian.php(http://localhost/nuke76/modules.php?name=Reviews&newlang=norwegian) --------/modules/Reviews/language/lang-norwegian.php--------------52: define("_INVALIDTEXT","Feil i anmeldelsestekst... Feltet kan ikkevÃÂre tomt\");53: define("_INVALIDHITS","Treff màvÃÂre en positiv integer");----------------------------------------------------------------- Result:Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Reviews/language/lang-norwegian.phpon line 53 ########################## Vuln4File: /modules/Downloads/language/lang-greek.php(http://localhost/nuke76/modules.php?name=Downloads&newlang=greek) -------/modules/Downloads/language/lang-greek.php-----------176: A-# define("_FILESIZE","ÃÅÃÂÃÂÃÂÃÂÃÂàÃÂÃÂÃÂÃÂÃÅÃÂÃÂ");177: A-# define("_VERSION","ÃÂÃÂÃÂÃÂÃÂÃÂ");178: K-# define("_UDOWNLOADS","ÃÂÃÂÃÂÃÂÃÂÃÅÃÂÃÂÃ(c)ÃÂ");179: A-# define("_HOMEPAGE","ÃÅÃÂÃÂÃÂÃÂÃ(c)ÃÂÃÅ Ã"ÃÂÃÂÃÅÃÂà");------------------------------------------------------------ This is a commentary?!Result:Parse error: parse error, unexpected ';' in /home/localhost/public_html/nuke76/modules/Downloads/language/lang-greek.phpon line 181 ######################### Vuln 5File: /modules/Downloads/language/lang-indonesian.php(http://localhost/nuke76/modules.php?name=Downloads&newlang=indonesian) ------/modules/Downloads/language/lang-indonesian.php----59: define("_DOWNLOADSNOTUSER8","<ahref=\"modules.php?name=Your_Account&">Daftar di sini</a>");60: define("_DOWNLOADALREADYEXT","ERROR: Alamat URL sudah ada dalam database!");--------------------------------------------------------- Resultando em:Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Downloads/language/lang-indonesian.phpon line 59 ---------------------------------------------------------------------------(more) Vulnerabilities founds by guilherme <guilherme@xxxxxxxxxxxxxxxxxxx> ########################### Vuln6 File: /modules/Web_Links/language/lang-portuguese.php If called the module Web_Links with portuguese language,it returns the way from the archive in the server. (http://localhost/nuke76/modules.php?name=Web_Links&newlang=portuguese) Parse error: parse error, unexpected T_STRING in/home/localhost/public_html/nuke76/modules/Web_Links/language/lang-portuguese.phpon line 171 ---------/modules/Web_Links/language/lang-portuguese.php---------------- 169: define("_REMOTEFORM","Forma de AvaliaÃÃo a DistÃncia");170: define("_PROMOTE04","Se vocà nos enganar, nÃs removeremos seulink. Temos dito isto, aqui como uma forma de avaliaÃÃo remota e171: define("_VOTE4THISSITE","Vote neste Site!");172: define("_LINKVOTE","Vote!");---------------------------- ########################### Vuln7 File: /modules/Web_Links/language/lang-indonesian.php If called the module Web_Links with indonesian language,it returns the way from the archive in the server. (http://localhost/nuke76/modules.php?name=Web_Links&newlang=indonesian) Parse error: parse error, unexpected T_STRING in/home/localhost/public_html/nuke76/modules/Web_Links/language/lang-indonesian.phpon line 170 ---------/modules/Web_Links/language/lang-indonesian.php---------------- 169: define("_LOOKTOREQUEST","Kami akan memeriksa laporan anda.");170: define("_ONLYREGUSERSMODIFY","Hanya member yang bisa meminta modifikasi link. Silakan daftar atau login <ahref=\"/modules.php?name=Your_Account&">di sini</a>.");171: define("_REQUESTLINKMOD","Permohonan Modifikasi Link Situs");------------------------ ########################### Vuln8 File: /modules/Surveys/language/lang-indonesian.php If called the module Surveys with indonesian language, it returns the way from the archive in the server. (http://localhost/nuke76/modules.php?name=Surveys&newlang=indonesian) Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Surveys/language/lang-indonesian.phpon line 40 ---------/modules/Surveys/language/lang-indonesian.php----------------39: define("_NOSUBJECT","Tanpa Subjek");40: define("_NOANONCOMMENTS","Anda tidak dibolehkan mengirim komentar, silakan daftar <a href=\"modules.php?name=Your_Account&">di sini</a>");41: define("_PARENT","Setingkat ke atas");------------------------------ ########################### Vuln9 File: /modules/Reviews/language/lang-portuguese.php If called the module Reviews with portuguese language, it returns the way from the archive in the server. (http://localhost/nuke76/modules.php?name=Reviews&newlang=portuguese) Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Reviews/language/lang-portuguese.phpon line 89 ---------/modules/Reviews/language/lang-portuguese.php----------------88: define("_YOURNICK","O seu nome:");89: define("_RCREATEACCOUNT","<ahref="modules.php?name=Your_Account&op=new_user\"><b>Crie</b></a> umaconta");87: define("_YOURCOMMENT","O seu comentÃrio:");----------- ########################### Vuln10 File: /modules/Journal/language/lang-portuguese.php If called the module Journal with portuguese language, it returns the way from the archive in the server. (http://localhost/nuke76/modules.php?name=Journal&newlang=portuguese) Parse error: parse error, unexpected T_STRING in /home/localhost/public_html/nuke76/modules/Journal/language/lang-portuguese.phpon line 31 ---------/modules/Journal/language/lang-portuguese.php----------------29: define("_ADDJOURNAL","Adicionar uma entrada no diÃrio");30: define("_ADDENTRY","Adicionar uma nova entrada);31: define("_YOURLAST20","As suas 20 entradas");----------------------- ---------------------------------------------------------------------------How to fix:http://www.project-restart.org --------------------------------------------------------------------------- TimeLine:25/04/2005 - php-nuke install into our server (downloaded default 7.6from phpnuke.org)26/04/2005 - Luis found the firsts vulns and begin find more27/04/2005 - Guilherme found many vulns into language files28/04/2005 - Luis see all language files and found more vulns29/04/2005 - report sent and vendor contacted Contact:--------------------------------------------------------------------------- Luis (22) - luis@xxxxxxxxxxxxxxxxxxxxxxxxxxxx (GBR) - guilherme@xxxxxxxxxxxxxxxxxxxxxxxxxx (digÃo) - rodrigo@xxxxxxxxxxxxxxxxxxx Homepage: http://www.project-restart.org/ That God mercy our soul! (Ps. Sorry our bad english, we are Brazilians boys, =D)
