====================================================================== SecWatch 06/06/2005 FlatNuke Remote Denial of Service, Arbitrary PHP Code Execution, Cross-Site Scripting and Path Disclosure Vulnerabilities ====================================================================== Table of Contents Product Introduction.................................................1 Affected ............................................................2 Severity.............................................................3 Description of Vulnerability.........................................4 Proof of Concept.....................................................5 Solution.............................................................6 Time Line............................................................7 Credits..............................................................8 ====================================================================== 1) Introduction Homepage: http://flatnuke.sourceforge.net/ Overview: FlatNuke is a CMS (Content Management System), utilising flat files for information storage. Advisory: http://secwatch.org/advisories/secwatch/20050604_flatnuke.txt SWID: 1010779 References: http://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256 http://securitytracker.com/alerts/2005/Jun/1014114.html http://secunia.com/advisories/15603/ http://www.securityfocus.com/bid/13882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1892 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1893 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1894 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1895 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1896 http://www.osvdb.org/17165 http://www.osvdb.org/17166 http://www.osvdb.org/17167 http://www.osvdb.org/17168 http://www.osvdb.org/17169 http://www.osvdb.org/17170 http://www.osvdb.org/17171 http://www.osvdb.org/17172 http://www.frsirt.com/english/advisories/2005/0697 ====================================================================== 2) Affected FlatNuke version 2.5.3. Prior versions may also be affected. ====================================================================== 3) Severity Rating: Moderately - Highly critical Impact: Denial of Service System access Cross Site Scripting Exposure of system information Manipulation of data Where: From remote Action: Public disclosure ====================================================================== 4) Description of Vulnerabilities Multiple vulnerabilities in FlatNuke have been reported, which can be exploited by remote users to trigger denial of service conditions, execute arbitrary PHP code, conduct Cross-Site Scripting attacks and disclose arbitrary images and system information. If the "/flatnuke/foot_news.php" script is accessed directly a while() call is made that enters an infinite loop, leading to full CPU utilisation. HTTP referer information is stored in "/misc/flatstat/referer.php", a remote user can submit a specially crafted HTTP request with a non-URLencoded, spoofed referer such as "http://[attacker]/?cmd=", then can directly access "http://[target]/flatnuke/misc/flatstat/referer.php" where the PHP code will be executed. The PHP code, including operating system commands, will run with the privileges of the target web service. User-supplied input passed to the "border" and "back" parameters in the "/forum/help.php" and "/forum/footer.php" scripts is not correctly sanitised. This can be exploited to execute arbitrary script code in the security context of an affected website, as a result the code will be able to access any of the target user's cookies, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. Note: Successful exploitation requires that "register_globals" is enabled. User-supplied input passed to the "image" parameter in the "thumb.php" script is not correctly validated. This can be exploited to disclose arbitrary images from external and local resources via directory traversal attacks, or to disclose the installation path. It is also possible to disclose the system path by accessing certain scripts directly or specially formed parameters. ====================================================================== 5) Proof of Concept Denial of Service: http://[target]/flatnuke/foot_news.php Arbitrary Command Execution PoC: Demonstration exploit code has been released, available: http://secwatch.org/exploits/2005/06/flatnuke_shell.php.info http://secwatch.org/exploits/2005/06/flatnuke_253_referer.pm.info Cross-Site Scripting: http://[target]/forum/help.php?border=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://[target]/forum/help.php?back=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://[target]/forum/footer.php?back=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://[target]/forum/footer.php?border=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Information Disclosure: http://[target]/flatnuke/index.php?mod=none_Search&find=1&where=null http://[target]/flatnuke/print.php http://[target]/flatnuke/thumb.php?image=null Arbitrary Image Disclosure: http://[target]/flatnuke/thumb.php?image=../../non-webreadable/private/image.jpg http://[target]/flatnuke/thumb.php?image=http://[attacker]/image.jpg http://[target]/flatnuke/thumb.php?image=null ====================================================================== 6) Solution The vulnerabilities have been resolved in FlatNuke version 2.5.4, available: http://sourceforge.net/project/showfiles.php?group_id=93076&package_id=98622 Production systems should not display errors to clients. ====================================================================== 7) Time Line 03/06/2005 - Infomation reported to SecWatch. 04/06/2005 - Information validated by SecWatch. Vendor notified 05/06/2005 - Vendor responded promptly, new version (2.5.4) released resolving issues. Suggestion for safer referer logging method suggested. 06/06/2005 - Public disclosure. ====================================================================== 8) Credits Discovered by an anonymous person, reported via SecWatch.