PHP Nuke User/Administrator Account Compromise Vulnerability
BID:2431
Info
PHP Nuke User/Administrator Account Compromise Vulnerability
| Bugtraq ID: | 2431 |
| Class: | Input Validation Error |
| CVE: |
CVE-2001-0911 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 23 2001 12:00AM |
| Updated: | Jul 11 2009 04:46AM |
| Credit: | Reported to bugtraq by Joao Gouveia <[email protected]> on Fri, 23 Feb, 2001. |
| Vulnerable: |
Francisco Burzi PHP-Nuke 4.4 Francisco Burzi PHP-Nuke 4.3 Francisco Burzi PHP-Nuke 4.0 |
| Not Vulnerable: | |
Discussion
PHP Nuke User/Administrator Account Compromise Vulnerability
PHP Nuke uses a global variable named '$user'. It is normally retrieved from a cookie, but can be supplied in a URL. This value contains uuencoded values for the user information and the user's password hash.
These values are decoded on the server and used in various SQL queries during the execution of PHP Nuke scripts.
Several variables used in this query contain user-supplied input. These values may be injected into a uuencoded $user variable passed in a URL.
Attackers may modify the query so that its logic forces retrieval of sensitive information associated with arbitrary users. This could be accomplished if the attacker has a valid username.
If exploited, the attacker will have gained the encrypted password and user information of the target user.
The password could then be brute-forced, allowing further compromises of security on the affected host, including arbitrary file access and remote command execution as the webserver process.
PHP Nuke uses a global variable named '$user'. It is normally retrieved from a cookie, but can be supplied in a URL. This value contains uuencoded values for the user information and the user's password hash.
These values are decoded on the server and used in various SQL queries during the execution of PHP Nuke scripts.
Several variables used in this query contain user-supplied input. These values may be injected into a uuencoded $user variable passed in a URL.
Attackers may modify the query so that its logic forces retrieval of sensitive information associated with arbitrary users. This could be accomplished if the attacker has a valid username.
If exploited, the attacker will have gained the encrypted password and user information of the target user.
The password could then be brute-forced, allowing further compromises of security on the affected host, including arbitrary file access and remote command execution as the webserver process.