*************************************************************
* CODEBUG Labs
* Advisory #6
* Title: Multiple Vulnerabilities in Flat-nuke
* Author: Pierquinto 'Mantra' Manco
* English Version: David 'hanska' Paleino
* Product: Flat-Nuke 2.5.1
* Type: Multiple Vulnerabilities
* Web: http://www.codebug.org
*
**************************************************************
-) Software Page (www.flatnuke.org)
"FlatNuke is a CMS (Content Management System) which doesn't use any DBMS, in favour of text files only (from this fact comes its name). The last stable version of FlatNuke is 2.5.1."
-) The vulnerable function
The vulnerability stays in the index.php file in flatnuke's forum/ directory, which is located in the scripts' main directory:
13) || (stristr($nome,"\"")) || (stristr($nome, "\\")) || ($regpass != $reregpass)){
print _FERRCAMPO . "
<<" . _INDIETRO . "";
}
else {
$nome = str_replace("<", "", $nome);
$nome = str_replace(">", "", $nome);
$nome = stripslashes($nome);
$regpass = str_replace("<", "", $regpass);
$regpass = str_replace(">", "", $regpass);
$anag = str_replace(">", "", $anag);
$anag = str_replace("<", "", $anag);
$anag = stripslashes($anag);
$email = str_replace("<", "", $email);
$email = str_replace(">", "", $email);
$email = stripslashes($email);
$homep = str_replace("<", "", $homep);
$homep = str_replace(">", "", $homep);
$homep = stripslashes($homep);
$prof = str_replace("<", "", $prof);
$prof = str_replace(">", "", $prof);
$prof = stripslashes($prof);
$prov = str_replace("<", "", $prov);
$prov = str_replace(">", "", $prov);
$prov = stripslashes($prov);
$ava = str_replace("<", "", $ava);
$ava = str_replace(">", "", $ava);
if ($ava == "")
$ava="blank.png";
if ($url_avatar != "") {
$ava = $url_avatar;
$ava = str_replace("<", "", $ava);
$ava = str_replace(">", "", $ava);
}
else {
$ava = str_replace("<", "", $ava);
$ava = str_replace(">", "", $ava);
$ava = "images/" . $ava;
}
$firma = str_replace("<", "", $firma);
$firma = str_replace(">", "", $firma);
$firma = stripslashes($firma);
# Stores the password in a MD5 hash.
$regpass = md5($regpass);
$firma = str_replace("\n", "
", $firma);
$fp = fopen("users/$nome.php", "w");
// these fwrite() don't need any concurrent
// access check since the user can only access
// his own file
fwrite($fp, "\n");
fclose($fp);
...
?>
- - ) Remote Privilege Escalation
Make a HTML page with the following code:
Once you open the HTML page in ANY web browser, you need to fill in every field but the one called url_avatar, which we will use to register ourselves as administrators.
In the "url_avatar" field, press Enter at least twice, then write #10, this way we will make directives registering us as administrators precede that ones which would register us as normal users.
All this is possible because the script, in the registration function, does not check the values contained in the text fields that we have opportunely changed into textarea fields.
- - ) PHP Code Injection
This bug came into evidence while I was writing about the Remote Privilege Escalation:
Let's open again our HTML page from a browser and just fill in the fields like we did for the Remote Privilege Escalation bug. We will now use our "url_avatar" textarea to inject malicious code.
At this point, press Enter at least once and put out malicious PHP code, for example:
echo system($_GET[mantra]);
This command, for example, will give us a shell accessible from:
http://www.sitewithflatnuke.org/forum/users/$yourforumnickname.php?mantra=command_to_execute
- ) Patch
To correct these vulnerabilities some further parameters-checking should be implemented, and the users registration and mantainance system should be restructured.
-) Notes
Through the use of Google or any other kind of search engine it is possible to create a worm, like Santy for phpBB, and spread it over each system running FlatNuke, with a high probability of causing damages.
*****************************************************************
http://www.codebug.org
*****************************************************************