[16335] in bugtraq
Vuln. in all sites using PHP-Nuke, versions less than 3
daemon@ATHENA.MIT.EDU (Elbruj0, Gandalf)
Mon Aug 21 18:00:53 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.20.0008211558160.3828-100000@Ono-Sendai.hack.net>
Date: Mon, 21 Aug 2000 16:23:40 -0300
Reply-To: bruj0@SECURITYPORTAL.COM.AR
From: "Elbruj0, Gandalf" <bruj0@SECURITYPORTAL.COM.AR>
To: BUGTRAQ@SECURITYFOCUS.COM
Greetings,
PHP-Nuke is a Web Portal System, storytelling software also an
automated web site to distribute news and articles with users system.
Exploit:
-------
The problem is when somebody does a
http://example.com/admin.php3?admin=whatever,
can have full access as an admin, that means posting news, and all that
the actual administrator can do.
Description:
-----------
So, lets see why this is posible, file auth.inc.php3, wich is used to
authentificate the admin:
<----snip---->
if(isset($admin)) {
if(!IsSet($mainfile)) { include("mainfile.php3"); }
$admin = base64_decode($admin);
$admin = explode(":", $admin); <--- between this line and the above
$admin becomes null
$aid = "$admin[0]"; <--- $aid
$pwd = "$admin[1]"; <--- $pwd = so this two also are null
<---snip--->
$result=mysql_query("select pwd from authors where aid='$aid'");
// ^^^this becomes: select pwd from authors where aid=''; wich returns nothing
<--snip--->
} else {
list($pass)=mysql_fetch_row($result); <---- $pass is gets null here
if($pass == $pwd) { <-- so this translate to NULL == NULL
$admintest = 1; <--- bingo! we're admin now!
}
<---snip--->
Fix:
---
Now for the fix that i mailed to the author, and he then added to the last
version that came out days ago, <rant>btw, he didnt even bother to mention
who discoverd it, AND just said HE found it AND fix it. </rant>
For thouse that doesnt want to download the latest version, at
http://http://www.ncc.org.ve/php-nuke.php3, heres a quick fix:
File auth.inc.php3 line 37 add,
if($aid=="" || $pwd=="") exit;
Thats all have fun.
---------------------------------------------
Webmaster of http://www.securityportal.com.ar
bruj0@phreaker.net
/"\
\ / ASCII Ribbon Campaign
X Against HTML Mail
/ \
Proud member of http://www.undersec.com
---------------------------------------------
