| Author |
Message |
kristalaz
Nuke Cadet
Joined: Sep 25, 2004
Posts: 3
Location: Germany
|
 Posted:
Mon Oct 04, 2004 5:27 am |
  |
| Code: |
phpNuke 7.5 WITH HEAVY SECURITY HOLES
Sicherheit
Tora von MaaxDesign writes: “When testing new administration system of phpNuke 7.5 I discovered heavy security holes. All modules, which use the new admin directory in the module directory, can be manipulated without being logged in as administrator.
On my test system it was possible for me to create download categories and delete user by simple URL manipulation. We have not tested more details until now. However possible also all other administration functions of these modules are easy to manipulate via the same way. Therefore I can only advise against the installation of this new version. wrote on 18.09 |
is there any patch? |
|
|
    |
|
scandicdiscopub
Sergeant
Joined: Oct 20, 2003
Posts: 88
|
| Posted:
Mon Oct 04, 2004 6:43 am |
|
hmmm what kind of url manipulation.
the way you write it makes it even kind of misterical
???
if you say something say it good else dont say nothing |
_________________
All we want is knowledge and if knowledge is power we should be considered dangerous.
http://www.nukeroyal.com|http://www.mexicomiamore.com| |
|
|
|
FreeBee
Sergeant
Joined: Aug 26, 2004
Posts: 75
|
| Posted:
Mon Oct 04, 2004 7:21 am |
|
Ok i've downloaded 7.5 a minute ago and checked it.
PHP-Nuke 7.5 is high risk vulnerable
The whole admin area is exploitable you can do everything even when you are not logged in as admin.
This the worst release i've ever seen.
I will tell where the risk is ONLY to a responsible Admin that has narrow contact with FB unless someone reports the bug with full exposure. |
|
|
|
|
afc
Lieutenant
Joined: May 28, 2003
Posts: 203
|
| Posted:
Mon Oct 04, 2004 3:45 pm |
|
i have fix for it just re-add everything he deleted in 7.5 and put 7.4 patched files version 2.6 by ChatServ. run to do it now |
|
|
|
|
FreeBee
Sergeant
Joined: Aug 26, 2004
Posts: 75
|
| Posted:
Mon Oct 04, 2004 9:15 pm |
|
| afc wrote: |
| i have fix for it just re-add everything he deleted in 7.5 and put 7.4 patched files version 2.6 by ChatServ. run to do it now |
AFAIK i have downloaded ChatServ patched 7.5 and it is still exploitable |
|
|
|
|
Evaders99
Site Admin
Joined: Aug 17, 2003
Posts: 12482
|
| Posted:
Mon Oct 04, 2004 10:28 pm |
|
|
 |
|
FreeBee
Sergeant
Joined: Aug 26, 2004
Posts: 75
|
| Posted:
Mon Oct 04, 2004 10:34 pm |
|
It bypasses all security add-ons so I've contacted Bob Marion and he is working on a quick fix and a rewrite of the offending file.
I've described him how to prevent 90% of the attempts so the fix should be good and a "must have" when released.
just keep an eye on nukescripts.net |
|
|
|
|
Tora
Nuke Cadet
Joined: Jan 11, 2004
Posts: 8
|
| Posted:
Mon Oct 11, 2004 2:45 pm |
|
|
|
|
chatserv
General
Joined: Jan 12, 2003
Posts: 3128
Location: Puerto Rico
|
| Posted:
Mon Oct 11, 2004 4:31 pm |
|
So what are the so called vulnerabilities? and please don't give me that page with a foreign language, makes no sense. |
_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources |
|
|
|
FreeBee
Sergeant
Joined: Aug 26, 2004
Posts: 75
|
| Posted:
Mon Oct 11, 2004 5:18 pm |
|
Ask Dr. Bob, i don't gonna exploit it here untill a fix is made. |
|
|
|
|
JohnGotti
Corporal
Joined: Sep 06, 2004
Posts: 57
|
| Posted:
Mon Oct 11, 2004 6:17 pm |
|
Has a fix for this been made yet?
Is there something that can be done in the mean time to prevent such a problem?
I've checked NukeScripts.net but cant seem to find any information on this!
If someone can point me in the right direction, I would greatly appreciate that!  |
_________________
C-4 Hosting
http://www.C-4.us
PHP Nuke Site Packages Starting At $5.99 per month! |
|
|
|
BobMarion
Nuke Soldier
Joined: Feb 20, 2003
Posts: 17
|
| Posted:
Mon Oct 11, 2004 8:33 pm |
|
|
|
|
JohnGotti
Corporal
Joined: Sep 06, 2004
Posts: 57
|
| Posted:
Mon Oct 11, 2004 9:27 pm |
|
| BobMarion wrote: |
| http://www.nukescripts.net/modules.php?name=News&file=article&sid=1249&mode=thread&order=0&thold=0 |
Thank you soooo much! |
_________________
C-4 Hosting
http://www.C-4.us
PHP Nuke Site Packages Starting At $5.99 per month! |
|
|
|
Tora
Nuke Cadet
Joined: Jan 11, 2004
Posts: 8
|
| Posted:
Mon Oct 11, 2004 11:04 pm |
|
|
|
|
FreeBee
Sergeant
Joined: Aug 26, 2004
Posts: 75
|
| Posted:
Tue Oct 12, 2004 5:22 pm |
|
Ok the fix is placed so here's the exploit:
When going to a phpnuke website you know who the admins are since the adminname is 90% the username.
Also the News articles show the author which is the adminname and not the original name of the person who posted the article.
So the admin loginname is exploited all over the place.
Now you need to know which variable stores the admin name and that is $aid.
So a GET, POST or COOKIE that has aid=ADMINNAME bypasses the whole security system since it only checks for $admin (the cookie)
So constructing a URL like: admin.php?aid=FreeBee&op=mod_author you have full control over that admin option since the new admin system in 7.5 uses the adminname and not $admin |
|
|
|
|
|
|
