Francisco Burzi PHP-Nuke Administrative Privileges Vulnerability
BID:1592
Info
Francisco Burzi PHP-Nuke Administrative Privileges Vulnerability
| Bugtraq ID: | 1592 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Aug 21 2000 12:00AM |
| Updated: | Aug 21 2000 12:00AM |
| Credit: | Discovered and posted to Bugtraq on Aug 21, 2000 by [email protected]. More information was provided by Starman_Jones in his post to Bugtraq on August 23, 2000. |
| Vulnerable: |
Francisco Burzi PHP-Nuke 2.5 Francisco Burzi PHP-Nuke 1.0 |
| Not Vulnerable: |
Francisco Burzi PHP-Nuke 3.0 |
Discussion
Francisco Burzi PHP-Nuke Administrative Privileges Vulnerability
PHP-Nuke is a website creation/maintainence tool written in PHP3. It is possible to elevate priviliges in this system from normal user to administrator due to a flaw in authentication code. The problem occurs here:
$aid = variable holding author name, pwd = author password
$result=mysql_query("select pwd from authors where aid='$aid'");
if(!$result) {
echo "Selection from database failed!";
exit;
} else {
list($pass)=mysql_fetch_row($result);
if($pass == $pwd) {
$admintest = 1;
}
}
First off, the code checks to make sure the query passed to mysql_query is legal. There are no checks to see whether any rows are returned (whether any authors match $aid..). Then, the password given is compared to the result of the above query. If the author doesn't match, mysql_fetch_row returns FALSE. This is where the problem occurs. A NULL string is logically equal to FALSE and thus if an empty string is supplied as password, the condition tested for above (the if($pass == $pwd)) is met and admintest is set to 1 (TRUE). The user is then able to perform all administrative functions.
PHP-Nuke is a website creation/maintainence tool written in PHP3. It is possible to elevate priviliges in this system from normal user to administrator due to a flaw in authentication code. The problem occurs here:
$aid = variable holding author name, pwd = author password
$result=mysql_query("select pwd from authors where aid='$aid'");
if(!$result) {
echo "Selection from database failed!";
exit;
} else {
list($pass)=mysql_fetch_row($result);
if($pass == $pwd) {
$admintest = 1;
}
}
First off, the code checks to make sure the query passed to mysql_query is legal. There are no checks to see whether any rows are returned (whether any authors match $aid..). Then, the password given is compared to the result of the above query. If the author doesn't match, mysql_fetch_row returns FALSE. This is where the problem occurs. A NULL string is logically equal to FALSE and thus if an empty string is supplied as password, the condition tested for above (the if($pass == $pwd)) is met and admintest is set to 1 (TRUE). The user is then able to perform all administrative functions.
Exploit / POC
Francisco Burzi PHP-Nuke Administrative Privileges Vulnerability
http://target/admin.php3?admin=any_data
http://target/admin.php3?admin=any_data
Solution / Fix
Francisco Burzi PHP-Nuke Administrative Privileges Vulnerability
Solution:
Upgrade to PHP-Nuke 3.0:
Francisco Burzi PHP-Nuke 1.0
Francisco Burzi PHP-Nuke 2.5
Solution:
Upgrade to PHP-Nuke 3.0:
Francisco Burzi PHP-Nuke 1.0
-
Francisco Burzi Nuke-3.0.tar.gz
http://www.ncc.org.ve/php-nuke.php3?op=download&location=http://downlo ad.sourceforge.net/phpnuke&file=PHP-Nuke-3.0.tar.gz
Francisco Burzi PHP-Nuke 2.5
-
Francisco Burzi Nuke-3.0.tar.gz
http://www.ncc.org.ve/php-nuke.php3?op=download&location=http://downlo ad.sourceforge.net/phpnuke&file=PHP-Nuke-3.0.tar.gz
References
Francisco Burzi PHP-Nuke Administrative Privileges Vulnerability
References:
References:
- PHP-Nuke Product Page (Francisco Burzi)