[17615] in bugtraq
All PHP-Nuke versions affected!!!
daemon@ATHENA.MIT.EDU (Pedro Inacio)
Sun Nov 12 15:52:40 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3A0DD158.965F8B43@ptnix.com>
Date: Sat, 11 Nov 2000 23:08:08 +0000
Reply-To: Pedro Inacio <pedro.inacio@PTNIX.COM>
From: Pedro Inacio <pedro.inacio@PTNIX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi!
Recentely the "fixed" version of the user.php script was released.
The vulnerability was reported in the article which can be read in
http://www.phpnuke.org/article.php?sid=251.
This new version though still allows any registered user to alter the
password and other personal details of other registered users.
I have looked at the code and corrected it, although this code is not in
the most optimized form, but it does its job.
This is how the user.php looked like
------
function saveuser($uid, $name, $uname, $email, $femail, $url, $pass,
$vpass, $bio) {
global $user, $cookie, $userinfo, $EditedMessage, $system;
cookiedecode($user);
if ($user AND ($cookie[1] == $uname)) {
...
------
This is my fixed code:
------
function saveuser($uid, $name, $uname, $email, $femail, $url, $pass,
$vpass, $bio) {
global $user, $cookie, $userinfo, $EditedMessage, $system;
cookiedecode($user);
$user_check=$cookie[1];
$result=mysql_query("select uid from users where
uname='$user_check'");
$vuid=mysql_result($result,0,"uid");
if ($user AND ($cookie[1] == $uname) AND ($uid == $vuid)) {
...
------
Probably all the save*() functions have the same bug because they do not
require a valid login to work with, but didn't take the time to check it
all.
Special thanks to:
Tharbad, paran0id, Nevermind and BeBe
My best regards,
Pedro Inacio aka DrBrain
