Formmail.php and PHP-Nuke Vulnerabilities Reported

Share this article

SecurityFocus is a vendor-neutral site that provides objective, timely and comprehensive security information on both closed and open source software. Today’s vulnerability report (delivered via email as BugTraq) reported on two popular open source solutions used by web designers and developers – Formmail.php and PHP-Nuke.

5. Joe Lumbroso Jack’s Formmail.php Unauthorized Remote File Up…
BugTraq ID: 9591
Remote: Yes
Date Published: Feb 06 2004
Relevant URL: http://www.securityfocus.com/bid/9591
Summary:
Jack’s Formmail.php is a web based form to e-mail gateway. The
application is written in PHP, however, a Perl version is available as
well.

A vulnerability has been reported to exist in the software that may allow
a remote attacker to gain unauthorized access to a vulnerable server and
upload arbitrary files.

It has been reported that the software verifies the origin of a request
via HTTP referer. Due to improper validation performed in the
‘check_referer()’ function, an attacker can bypass the checks by supplying
an empty value for HTTP referer. This issue may then allow an attacker to
upload a file via the ‘css’ variable of ‘file.php’ script.

Successful exploitation of this issue may allow an attacker to save
malicious files to the system or potentially overwrite sensitive files.

Although unconfirmed, Formmail.php versions 5.0 and prior may be affected
by this issue.

14. PHP-Nuke ‘News’ Module Cross-Site Scripting Vulnerability
BugTraq ID: 9605
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9605
Summary:
PHP-Nuke is a freeware content management system. Implemented in PHP, it
is available for a range of systems, including Unix, Linux, and Microsoft
Windows.

It has been reported that the PHP-Nuke ‘News’ module is prone to a
cross-site scripting vulnerability. The issue arises due to the module
failing to properly sanitize user-supplied information. The URI parameter
‘title’ is not properly sanitized of HTML tags. This could allow for
execution of hostile HTML and script code in the web client of a user who
visits a vulnerable web page. This would occur in the security context of
the site hosting the software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It has been reported that this issue affects versions 6.x – 7.x of the
software, however earlier versions may also be vulnerable.

21. PHP-Nuke ‘Reviews’ Module Cross-Site Scripting Vulnerability
BugTraq ID: 9613
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9613
Summary:
PHP-Nuke is a freeware content management system. Implemented in PHP, it
is available for a range of systems, including Unix, Linux, and Microsoft
Windows.

It has been reported that the PHP-Nuke ‘Reviews’ module is prone to a
cross-site scripting vulnerability. The issue arises due to the module
failing to properly sanitize user-supplied information. The URI parameter
‘title’ is not properly sanitized of HTML tags. This could allow for
execution of hostile HTML and script code in the web client of a user who
visits a vulnerable web page. This would occur in the security context of
the site hosting the software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It has been reported that this issue affects versions 6.x – 7.x of the
software, however earlier versions may also be vulnerable.

23. PHP-Nuke Public Message SQL Injection Vulnerability
BugTraq ID: 9615
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9615
Summary:
PHP-Nuke is a freeware content management system. Implemented in PHP, it
is available for a range of systems, including Unix, Linux, and Microsoft
Windows.

It has been reported that the ‘public message’ feature of PHP-Nuke is
vulnerable to an SQL injection vulnerability. The issue is due to a
failure to properly sanitize the ‘$p_msg’ parameter in the
‘public_message()’ function of the ‘/mainfile.php’ script.

As PHP-Nuke forces all variables to be global within the context of the
application, the ‘$p_msg’ parameter may be specified in either POST, GET
or COOKIE data. Within the ‘public_message()’ function, the ‘$p_msg’
parameter is decoded into the ‘$c_mid’ parameter, which is directly used
in the generation of the SQL query. An attacker could use an SQL Union
command passed via the ‘$p_msg’ parameter to mine data from the database.

As a result of this issue an attacker could modify the logic and structure
of database queries. Other attacks may also be possible, such as gaining
access to sensitive information.

It has been reported that this issue affects versions 6.x – 7.x of the
software, however earlier versions may also be vulnerable.

Blane WarreneBlane Warrene
View Author
Share this article
Read Next
Get the freshest news and resources for developers, designers and digital creators in your inbox each week
Loading form