Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

Multiple vulnerabilities in Event Calendar for PhpNuke
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
oprime2001
Worker
Worker



Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA
PostPosted: Thu Nov 18, 2004 12:59 pm Reply with quote
Read on http://nukecops.com/postt37511.html

From security notice on http://www.zone-h.org/en/advisories/read/id=6310/
Note: edited to remove exploit examples.
Quote:
Vulnerabilities:
~~~~~~~~~~~~

This piece of sowtware has many security related flaws due to poor user-submitted data
handling.


A1 - full path disclosure in "config.php":
A2, A3 - full path disclosure in "index.php" and "submit.php":
B - XSS aka cross site scripting:
C - script injection in calendar event comments:
D - critical sql injection bugs in code:

Developer reply posted on http://phpnuke.holbrookau.net/
Quote:
NOTICE

Due to numerous security issues found recently, the PHP-Nuke Event Calendar module formally found on this site is no longer available.
Sorry, but as I don't have the time nor expertise to try and patch up the code, I suggest to those using it to delete it from their sites and seek a more secure and up-to-date alternative.

- Holbrookau


Anyone have suggestions / alternatives for more secure calendar module/add-on?
 
View user's profile Send private message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088
PostPosted: Thu Nov 18, 2004 1:07 pm Reply with quote
It's reported on my front page Smile

http://www.ravenphpscripts.com/article-633--0-0.html
 
View user's profile Send private message
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
PostPosted: Thu Nov 18, 2004 10:43 pm Reply with quote
Sure would like to find a good alternative or fix the current module. I have been toying in my mind for a few days now on how to expand the module to include features such as re-occurrence. However, if it is insecure to begin with, is there an alternative?

If no alternative, can someone with more experience in patching nuke modules (CS?), comment on my assumptions / questions regarding each vulnerability type? If I can at least make my attempt at it, would someone be willing to look it over to see if I, in my newbie-dome, has missed something?

Here goes the assumptions / questions:

Regarding the following:
Quote:

A1 - full path disclosure in "config.php":


Is this vulnerability solved by reviewing each included component and ensuring that it cannot be accessed directly using the standard code similar to the following?

Code:



if (eregi("header.php", $_SERVER['SCRIPT_NAME'])) {


    Header("Location: index.php");


    die();


}


Regarding the following:

Quote:

A2, A3 - full path disclosure in "index.php" and "submit.php":
B - XSS aka cross site scripting:


I am not clear as to what I should be looking for. Can someone give the general concept of how it is a problem? Not even sure what cross site scripting is. Does Sentinel block this?

Regarding the following:

Quote:

C - script injection in calendar event comments:
D - critical sql injection bugs in code:


Sentinel caught the UNION injection. Does anyone know if it would catch all of what waraxe discribes? If not, can someone just give me a high-level understanding of what he is meaning by the double-quote issue? At least point in the right direction so I can look up the relevant PHP concepts.

Much abliged. I am just not ready to give up on this module just yet...

montego
 
View user's profile Send private message Visit poster's website
oprime2001
PostPosted: Fri Nov 19, 2004 10:49 pm Reply with quote
I haven't tried it myself, but I am in the process of migrating my EventCalendar to Only registered users can see links on this board! Get registered or login! from Only registered users can see links on this board! Get registered or login!.

From the copyright.php:
Quote:
based on EventCalendar 2.0
Copyright (c) 2001 Originally by Rob Sutton

It seems these two calendar modules have similar roots. And to save you the half-hour it took me to figure out how to get the hometext column in nuke_events from Only registered users can see links on this board! Get registered or login! to text, it's just a matter of changing the column type from BLOB to text within phpmyadmin.
 
kguske
Site Admin



Joined: Jun 04, 2004
Posts: 6437
PostPosted: Fri Nov 19, 2004 11:14 pm Reply with quote
I like Only registered users can see links on this board! Get registered or login!. It's different from EventCalendar (which I used previously) and Kalendar in that it handles recurring events. I haven't checked its security, but it does not use any BLOB fields and, also unlike EventCalendar and Kalendar, was based on an early version of Only registered users can see links on this board! Get registered or login!, instead of Rob Sutton's Event Calendar, which might make it more difficult to convert.

montego, regarding full path disclosure, I believe this shouldn't be problem if you have the php.ini display_errors setting set to false.

I believe NukeSentinel will cover everything else as long as EventCalendar uses standard phpNuke methods (i.e. via mainfile.php) for accessing data, but I'd gladly defer that to one of the developers.

_________________
I search, therefore I exist...
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
montego
PostPosted: Sat Nov 20, 2004 7:36 am Reply with quote
Does anyone have an idea if NuCalendar is secure? I have looked into WebCalendar on SourceForge and the standalone product looks incredible! I would love to Nuke-it if I had the skillsets (which I don't). I has great *groupware* features too that would work very nice for a community site.

Does anyone know if it has been ported more recently to any of the nuke variants?

montego
 
montego
PostPosted: Sat Nov 20, 2004 7:41 am Reply with quote
P.S. Is there a support site/community for NuCalendar?
 
kguske
PostPosted: Sat Nov 20, 2004 8:49 am Reply with quote
Sorry! The official site for NuCalendar is Only registered users can see links on this board! Get registered or login!. It does have support forums, too. The site shows a beta version of NuCalendar .7 (the current download version is .61). I've found some tweaks to NuCalendar by others around the world, but haven't had the chance to look at them yet.

I'm thinking of nuking WebCalendar - it does have some really nice features. Unfortunately, I don't think it's been ported more recently (and NuCalendar is not really that current).

I've been evaluating calendar functions, and I found another powerful php-based calendar called Only registered users can see links on this board! Get registered or login!, whose support site runs on Xoops and plans include a Nuke (php, Post, and / or Xoops) version (although comments on the WebCalendar support forums discuss a Nuke version, too). Calogic has a registration function, but it's really weak on that end. Both WebCalendar and Calogic have mini-calendars that could probably be made into blocks pretty easily.

But since I already use NuCalendar on a couple of sites, I'll probably check that for security before working on a nuke version of another event calendar.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©