Yikes!

stephen2417 · Posted: Fri Jun 04, 2004 5:32 pm

Only registered users can see links on this board!
Get registered or login to the forums!

Chat is this covered in yor patches??

If not i think you better fix it up now and go to 2.5

chatserv · Posted: Fri Jun 04, 2004 5:55 pm

You can tell school's out huh? try the Exploitation Example on your site and let me know if you get anything other than a 403 page.

stephen2417 · Posted: Fri Jun 04, 2004 6:00 pm

Yeppers.. Ive been out for about two weeks now.. But becides the point. Your the man, its 403 all the way. Very Happy

Tank863 · New Member Joined: May 29, 2003 Posts: 16

Chat...

Try this as a proof of concept.

Only registered users can see links on this board!
Get registered or login to the forums!

I was trying what 'they' suggested and all I got was the 403 page...
I tried the above and bamm..

Code:

Warning: main(mainfile.php): failed to open stream: No such file or
directory in /usr/local/apache/htdocs/xxxx/modules/News/categories.php on line 19

Fatal error: main(): Failed opening required 'mainfile.php' (include_path='./:/usr/local/lib/php:/usr/lib/php:/usr/bin/:/usr/
share/pear') in /usr/local/apache/htdocs/xxxx/modules/News/categories.php
on line 19

Tank863 · New Member Joined: May 29, 2003 Posts: 16

Chat... see this string..

hope it helps Very Happy

Only registered users can see links on this board!
Get registered or login to the forums!

Tank863

sixonetonoffun · Posted: Sat Jun 05, 2004 10:41 am

Since literally every file is potentially effected I'd say this is one for FB to address with a release of a new version.

But that aside the actual vulnerability still can only be exploited by people who live on your server and then only if its poorly configured. The path disclosure part is valid to the world but is minor overall in and of itself.

Raven · Posted: Sat Jun 05, 2004 10:46 am

Tank863 wrote:

Chat... see this string..

hope it helps Very Happy

Only registered users can see links on this board!
Get registered or login to the forums!

Tank863

The topic or post you requested does not exist

sixonetonoffun · Posted: Sat Jun 05, 2004 10:51 am

I guess my point was this isn't much different then someone accessing ect/passwd which can also be done easily on a shared server not in safe_mode.

Raven · Posted: Sat Jun 05, 2004 11:07 am

True. I said this in another article - if someone has been able to place a symlink on your server, you have greater problems than nuke!

Only registered users can see links on this board!
Get registered or login to the forums!

sixonetonoffun · Posted: Sat Jun 05, 2004 11:16 am

I'm not trying to discount the issue. I just think that since to patch this it will require every file to be modified a new release is the best way to address the problem. But maybe an "Official PHPNuke" development site can address this issue for us all.

Tank863 · New Member Joined: May 29, 2003 Posts: 16

Sorry... here is the link... I guess it hanged from the last post..

Only registered users can see links on this board!
Get registered or login to the forums!

Raven · Posted: Sat Jun 05, 2004 11:32 am

Try adding this line to your .htaccess file

php_flag display_errors off

You should get a blank screen. I can write an error_handler at the PHP level to throw up another screen.

Tank863 · New Member Joined: May 29, 2003 Posts: 16

Raven.. that worked.. it did give me the blank screen...

Very Happy

Raven · Posted: Sat Jun 05, 2004 11:43 am

There are actually several ways to corral this path disclosure issue. It is not nuke constrained/unique, although we all know we can depend on FB to provide fertile ground to play in Laughing

Anyway, I'm going to work on this this weekend and see what I can come up with.

Raven · Posted: Sat Jun 05, 2004 11:45 am

Tank863 wrote:

Raven.. that worked.. it did give me the blank screen...

Very Happy

I modified my other post to use php_flag instead of php_value - just a tweak for speed. Keep in mind that ALL errors will get a blank screen until the error handler is provided.

Tank863 · New Member Joined: May 29, 2003 Posts: 16

Yes.. that one does make a slight difference in speed.. Very Happy

Raven · Posted: Sat Jun 05, 2004 12:11 pm

Keep in mind that if you use solely a php script solution, like ini_set(), you would need to place that on every page, whether through an include or actually on each page. That is where .htaccess obviously has an advantage. But for those that do not use Apache, then you will need to either do it at a server level pnp.ini level or at the php script level.

Raven · Posted: Sat Jun 05, 2004 12:44 pm

Also, (sorry for all the addendums) just adding code to mainfile.php will work in many of the cases but there is no "rule" that mainfile.php must be called in addons. It's a convenience, not a requirement. And more importantly, this particular exploit (root path disclosure) is solely to display the root path, it is not to conform to nuke "rules" of coding. That's why a fix has to be at a higher level and cannot be not nuke specific.

foxyfemfem · New Member Joined: Dec 07, 2003 Posts: 22 Location: USA

Raven wrote:

That's why a fix has to be at a higher level and cannot be not nuke specific.

I assume you're referring to a php stand alone fix.. right? I use several php programs throughout my site in sub domains, therefore I added your .htaccess fix to all of my sub domains. Thanks!

Brujo · Regular Joined: Jun 04, 2004 Posts: 84 Location: Germany

Raven wrote:

Try adding this line to your .htaccess file

php_flag display_errors off

You should get a blank screen. I can write an error_handler at the PHP level to throw up another screen.

if i put it in my .htaccess i got an Internal Server Error, is there another way to do it ?

with bet regards
Brujo

Raven · Posted: Sat Jun 05, 2004 3:25 pm

Brujo wrote:

Raven wrote:

Try adding this line to your .htaccess file

php_flag display_errors off

You should get a blank screen. I can write an error_handler at the PHP level to throw up another screen.

if i put it in my .htaccess i got an Internal Server Error, is there another way to do it ?

with bet regards
Brujo

Are you allowed to use .htaccess at your site? If so, then your host has restricted what php settings you can change. Try php_value instead of php_flag. If that still does not work, contact your host and ask them to allow the changing of display_errors via .htacess.

Raven · Posted: Sat Jun 05, 2004 3:28 pm

foxyfemfem wrote:

Raven wrote:

That's why a fix has to be at a higher level and cannot be not nuke specific.

I assume you're referring to a php stand alone fix.. right? I use several php programs throughout my site in sub domains, therefore I added your .htaccess fix to all of my sub domains. Thanks!

Correct. Actually, if you just place it in your root document .htaccess it should flow throiugh to all subdomains, but it might be easier to have a separate .htaccess in each subdomain for convenience and organization. Better safe than sorry Wink

Brujo · Regular Joined: Jun 04, 2004 Posts: 84 Location: Germany

Raven wrote:

Are you allowed to use .htaccess at your site? If so, then your host has restricted what php settings you can change. Try php_value instead of php_flag. If that still does not work, contact your host and ask them to allow the changing of display_errors via .htacess.

Yes htaccess is allowed for me and it seems you are right that it is not allowed to change the php settings, so i opend a Ticket at my hoster.

thanks for your quick responce

with bet regards
Brujo

Raven · Posted: Mon Jun 07, 2004 9:58 am

See this thread for a possible fix for .htaccess users

[Edited by Raven. I have enough tests and feedback to see if this is worth it. Thanks!]