The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
PHP-Nuke 8.x <= Cross Site Request Forgery (CSRF) / Anti-CSRF Bypass
Vulnerability
1. OVERVIEW
The PHP-Nuke version 8.x and lower versions are vulnerable to Cross
Site Request Forgery (CSRF) because its Anti-CSRF mechanism (Referer
Check) is found to be broken.
2. BACKGROUND
PHP-Nuke is a Web Portal System or content management system. The goal
of PHP-Nuke is to have an automated web site to distribute news and
articles with users system. Each user can submit comments to discuss
the articles. Main features include: web based admin, surveys, top
page, access stats page with counter, user customizable box, themes
manager for registered users, friendly administration GUI with graphic
topic manager, option to edit or delete stories, option to delete
comments, moderation system, Referrers page to know who link us,
sections manager, customizable HTML blocks, user and authors edit, an
integrated Banners Ads system, search engine, backend/headlines
generation (RSS/RDF format), and many, many more friendly functions.
3. VULNERABILITY DESCRIPTION
The PHP-Nuke version 8.x and lower versions contain a flaw that allows
a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw
exists because the application does not require multiple steps or
explicit confirmation for sensitive transactions for majority of
administrator functions such as adding new user, assigning user to
administrative privilege. By using a crafted URL, an attacker may
trick the victim into visiting to his web page to take advantage of
the trust relationship between the authenticated victim and the
application. Such an attack could trick the victim into executing
arbitrary commands in the context of their session with the
application, without further prompting or verification.
4. VERSIONS AFFECTED
8.0 and lower
Tested version: 8.0
The paid versions, 8.1 and 9.0, of PHP-Nuke may be vulnerable as well.
5. PROOF-OF-CONCEPT/EXPLOIT
Consider the following code snippet in /mainfile.php of PHP-Nuke:
//////////////////////////////////////////////////////////////////////////////
109if(!function_exists('stripos')) {
function stripos_clone($haystack, $needle, $offset=0) {
$return = strpos(strtoupper($haystack), strtoupper($needle), $offset);
if ($return === false) {
return false;
} else {
return true;
}
}
} else {
// But when this is PHP5, we use the original function
function stripos_clone($haystack, $needle, $offset=0) {
$return = stripos($haystack, $needle, $offset=0);
if ($return === false) {
return false;
} else {
return true;
}
}
128}
......
206// Posting from other servers in not allowed
207// Fix by Quake
208// Bug found by PeNdEjO
210if ($_SERVER['REQUEST_METHOD'] == "POST") {
if (isset($_SERVER['HTTP_REFERER'])) {
212if (!stripos_clone($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])) {
die('Posting from another server not allowed!');
}
} else {
die($posttags);
}
}
//////////////////////////////////////////////////////////////////////////////
It is clear that stripos_clone checks HTTP_REFERER value whether it
matches the target domain or not.
Attacker can easily bypass it by creating victim domain name under his
web root folder like:
http://attacker.in/victim.com/
>From there, he could effectively perform CSRF attacks against php-Nuke users.
A short P0C demo video can be seen at
http://yehg.net/lab/pr0js/training/view/misc/PHPNuke_8x_Anti-CSRF-Bypass/
6. SOLUTION
Not Available.
Use of this product is NOT recommended because of long lack of update
and vendor negligence about security reports.
7. VENDOR
PHP-Nuke Developers
http://phpnuke.org/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-01-01: contacted author through emails
2011-01-25: contacted author through web site contact form
2010-03-23: no replies from author
2010-03-23: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[phpnuke-8.x]_cross_site_request_forgery
CSRF Wiki: https://secure.wikimedia.org/wikipedia/en/wiki/Cross-site_request_forgery
About PHP-Nuke: http://en.wikipedia.org/wiki/PHP-Nuke
PHP-Nuke 8.0: http://phpnuke.org/modules.php?name=Downloads&d_op=getit&lid=658
CWE-352: http://cwe.mitre.org/data/definitions/352.html
#yehg [2010-03-23]
keywords: php nuke, php-nuke, phpnuke, 8.0, 8.1, csrf
---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum