TUCoPS :: Web :: PHP
:: web4927.htm
PHPNuke error_reporting vulerability
18th Dec 2001 [SBWID-4927]
COMMAND
PHPNuke error_reporting vulerability
SYSTEMS AFFECTED
All versions
PROBLEM
Aurelien Cabezon (http://www.isecurelabs.com) found following :
As you know, there are many Cross site scripting issue on Phpnuke
modules and other web application using PHP.
There is a cross site scripting issue cause :
[1] there is a lack to checks from user input in module.php
[2] PHP does not have a good deal with error reporting
I found my website vulnerable to an other cross site scripting
vulnerability, i thougt the problem was in XForum (forum module for
phpnuke) He was also, but it was too on the way that PHP report errors
and deals with error messages.
---Vulnerable line in module.php---
include(\"modules/$name/$file.php\");
---Vulnerable line in module.php---
Exploit :
http://host.com/modules.php?op=modload&name=XForum&file=[hostile javascript]&fid=2
Hostile javascript could be :
{script}alert(document.cookie);{/script}
that display your cookie. replace {} by <>
This crafted url cause the module.php script to make an PHP error
reporting like this:
---php error report---
Warning: Failed opening \'modules/XForum/.php\' for inclusion
(include_path=\'\') in /home/foo/htdocs/modules.php on line 27
---php error report---
When your browser display the error reporting, it parses the hotile
javascript too...
SOLUTION
Aurelien Cabezon found an easy and fast way to fix this problem and
other cross site scripting issue regarding module.php and other web
application using PHP : Just turn off PHP error reporting and wait for
a fix from PHP devel team :) The error_reporting function should check
for bad inputs.
Temp fix for phpnuke module.php:
---start of module.php---
error_reporting(0); //Add this line, Just turn off error_reporting
//original file
switch($op) {
case \"modload\":/
if (!isset($mainfile)) { include(\"mainfile.php\"); }
if (ereg(\"\\.\\.\",$name) || ereg(\"\\.\\.\",$file)) {
echo \"You are so cool\";
break;
} else {
include(\"modules/$name/$file.php\");
}
break;
default:
die (\"Sorry, you can\'t access this file directly...\");
break;
}
---end of module.php---