Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Vuln. in all sites using PHP-Nuke, versions less than 3
From: Elbruj0, Gandalf (bruj0SECURITYPORTAL.COM.AR)
Date: Mon Aug 21 2000 - 14:23:40 CDT

PHP-Nuke is a Web Portal System, storytelling software also an
automated web site to distribute news and articles with users system.

The problem is when somebody does a
can have full access as an admin, that means posting news, and all that
the actual administrator can do.

So, lets see why this is posible, file auth.inc.php3, wich is used to
authentificate the admin:
if(isset($admin)) {
  if(!IsSet($mainfile)) { include("mainfile.php3"); }
  $admin = base64_decode($admin);
  $admin = explode(":", $admin); <--- between this line and the above
$admin becomes null
  $aid = "$admin[0]"; <--- $aid
  $pwd = "$admin[1]"; <--- $pwd = so this two also are null
  $result=mysql_query("select pwd from authors where aid='$aid'");
// ^^^this becomes: select pwd from authors where aid=''; wich returns nothing
  } else {
    list($pass)=mysql_fetch_row($result); <---- $pass is gets null here
        if($pass == $pwd) { <-- so this translate to NULL == NULL
        $admintest = 1; <--- bingo! we're admin now!


Now for the fix that i mailed to the author, and he then added to the last
version that came out days ago, <rant>btw, he didnt even bother to mention
who discoverd it, AND just said HE found it AND fix it. </rant>
For thouse that doesnt want to download the latest version, at
http://http://www.ncc.org.ve/php-nuke.php3, heres a quick fix:
File auth.inc.php3 line 37 add,
 if($aid=="" || $pwd=="") exit;

Thats all have fun. --------------------------------------------- Webmaster of http://www.securityportal.com.ar bruj0phreaker.net /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ Proud member of http://www.undersec.com ---------------------------------------------