23.3.3. Path disclosure with PHP-Nuke

Path disclosure is a vulnerability that enables a user to gain knowledge of the internal path structure of an installation. It affects not only PHP-Nuke, but almost all PHP scripts too. A typical path disclosure scenario goes as follows:

A user enters deliberately a value which is passed unchecked to the script. The value is crafted so as to cause an error in the PHP interpreter or the database server. The user's speculation is that the error message will contain valuable information about the paths of the given software installation.

As an example, the error could be something like:

Fatal error: Cannot redeclare theindex() in 
/mnt/be1/02/738/0004711/w3/htdocs/www.yoursite.net/index.php 
on line 7

Typically, error reporting is set to display the errors on the served page and the user would gain knowledge of the full path of the index.php script on the server. This may or may not worry you, but it is a good idea to keep undisclosed to malicious users. To achieve this, once a script is in production and displayed messages are no longer needed for debugging, they should be disabled.

Path disclosure with PHP-Nuke has been reported in the following cases:

• The search module can't handle certain characters such as """, ">" and "'". This causes PHP-Nuke to return an error m essage that discloses the installation path (see PHP-Nuke Path Disclosure Vulnerability).

• The PHP script "print.php" used by the modules "News" and "AvantGo" does not verify user input supplied to the "$sid" variable. A malicious person could exploit this to gain knowledge of the full path to the installation directory by sending a HTTP request including invalid input to the "$sid" variable (see PHP-Nuke Path Disclosure).