Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16308
HistoryMar 10, 2007 - 12:00 a.m.

PHP-Nuke <= 8.0 Cookie Manipulation (lang)

2007-03-1000:00:00
vulners.com
17
JSON

/////////////////////////////////////////////////////////////////////////////////////////////////////
PHPNuke <= 8.0 Cookie Manipulation (lang)

PROGRAM: PHP-Nuke
HOMEPAGE: http://phpnuke.org/
VERSION: All version
BUG: Cookie Manipulation (lang) (SQL Injection + Local file include)
AUTHOR: Aleksandar aka sale83

///////////////////////////////////////////////////////////////////////////////////////////////////////
PHP.ini
Magic Quotes = OFF
//////////////////////////////////////////////////////////////////////////////////////////////////////
PHP-Nuke - >Preferences - > Multilingual Options-> On (Activate Multilingual features? = YES)
/////////////////////////////////////////////////////////////////////////////////////////////////////

Bug is found in mainfile.php line 327.

// Line 327 Bug is here
} elseif (isset($lang)) {
include_once("language/lang-".$lang.".php"); // This can be exploited by malicious users: ex: /…/…/robots.txt%00 Multilingual Options=OFF
$currentlang = $lang; // This can be exploited by malicious users. ex:SQL Injection in Top and News Module ($currentlang) Multilingual Options = On
} else {

/////////////////////////////////////////////////////////////////////////////////////////////////

This flaw is due to an error when handling the "lang" cookie parameter, which could be exploited by malicious users because $lang is not filtered.

Tested On:
Windows XP
Linux SlackWare 10.2
PHP Version 5.1.4
PHPNuke 8.0 ,7.9,7.6
Magic Quotes = OFF
Firefox 2 + Add N Edit Cookies Add-ons

/////////////////////////////////////////////////////////////////////////////////////////////////
Patch:

} elseif (isset($lang)) {
if (eregi('[A-Za-z]', $lang)) {
if (file_exists("language/lang-".$lang.".php")) {
include_once("language/lang-".$lang.".php");
$currentlang = $lang;
}else {
include_once("language/lang-english.php");
$currentlang = "english";
}
}else {
include_once("language/lang-english.php");
$currentlang = "english";
}
} else {

/////////////////////////////////////////////////////////////////////////////////////////////////
Best Regards
Aleksandar
Programmer and Web Developer
///////////////////////////////////////////////////////////////////////////////////////////////

JSON