Home page logo
/

bugtraq logo Bugtraq mailing list archives

All PHP-Nuke versions affected!!!
From: Pedro Inacio <pedro.inacio () PTNIX COM>
Date: Sat, 11 Nov 2000 23:08:08 +0000

Hi!

Recentely the "fixed" version of the user.php script was released.
The vulnerability was reported in the article which can be read in
http://www.phpnuke.org/article.php?sid=251.

This new version though still allows any registered user to alter the
password and other personal details of other registered users.

I have looked at the code and corrected it, although this code is not in
the most optimized form, but it does its job.

This is how the user.php looked like
------
function saveuser($uid, $name, $uname, $email, $femail, $url, $pass,
$vpass, $bio) {
    global $user, $cookie, $userinfo, $EditedMessage, $system;
    cookiedecode($user);
    if ($user AND ($cookie[1] == $uname)) {
    ...
------

This is my fixed code:
------
function saveuser($uid, $name, $uname, $email, $femail, $url, $pass,
$vpass, $bio) {
    global $user, $cookie, $userinfo, $EditedMessage, $system;
    cookiedecode($user);
    $user_check=$cookie[1];
    $result=mysql_query("select uid from users where
uname='$user_check'");
    $vuid=mysql_result($result,0,"uid");
    if ($user AND ($cookie[1] == $uname) AND ($uid == $vuid)) {
    ...
------


Probably all the save*() functions have the same bug because they do not
require a valid login to work with, but didn't take the time to check it
all.


Special thanks to:

Tharbad, paran0id, Nevermind and BeBe


My best regards,

Pedro Inacio aka DrBrain


  By Date           By Thread  

Current thread:
  • All PHP-Nuke versions affected!!! Pedro Inacio (Nov 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault