Date: Mon, 21 Aug 2000 16:23:40 -0300 From: "Elbruj0, Gandalf" <bruj0@SECURITYPORTAL.COM.AR> Subject: Vuln. in all sites using PHP-Nuke, versions less than 3 To: BUGTRAQ@SECURITYFOCUS.COM Greetings, PHP-Nuke is a Web Portal System, storytelling software also an automated web site to distribute news and articles with users system. Exploit: ------- The problem is when somebody does a http://example.com/admin.php3?admin=whatever, can have full access as an admin, that means posting news, and all that the actual administrator can do. Description: ----------- So, lets see why this is posible, file auth.inc.php3, wich is used to authentificate the admin: <----snip----> if(isset($admin)) { if(!IsSet($mainfile)) { include("mainfile.php3"); } $admin = base64_decode($admin); $admin = explode(":", $admin); <--- between this line and the above $admin becomes null $aid = "$admin[0]"; <--- $aid $pwd = "$admin[1]"; <--- $pwd = so this two also are null <---snip---> $result=mysql_query("select pwd from authors where aid='$aid'"); // ^^^this becomes: select pwd from authors where aid=''; wich returns nothing <--snip---> } else { list($pass)=mysql_fetch_row($result); <---- $pass is gets null here if($pass == $pwd) { <-- so this translate to NULL == NULL $admintest = 1; <--- bingo! we're admin now! } <---snip---> Fix: --- Now for the fix that i mailed to the author, and he then added to the last version that came out days ago, <rant>btw, he didnt even bother to mention who discoverd it, AND just said HE found it AND fix it. </rant> For thouse that doesnt want to download the latest version, at http://http://www.ncc.org.ve/php-nuke.php3, heres a quick fix: File auth.inc.php3 line 37 add, if($aid=="" || $pwd=="") exit; Thats all have fun. --------------------------------------------- Webmaster of http://www.securityportal.com.ar bruj0@phreaker.net /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ Proud member of http://www.undersec.com ---------------------------------------------