[waraxe-2004-SA#008] - Easy way to get superadmin rights in PhpNuke 6.x-7.1.0

Login or Register

:: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools ::

February 7, 2012

Menu

Home

Discussions

	Forums
	Members List
	IRC chat

Tools

	Base64 coder
	MD5 hash
	CRC32 checksum
	ROT13 coder
	SHA-1 hash
	URL-decoder
	Sql Char Encoder

Affiliates

	Error solutions
	y3dips ITsec
	Md5 Cracker
	plain-text.info
	Game Reviews
	User Manuals
	AlbumNow

Content

	Content
	Sections
	FAQ
	Top

Info

	Feedback
	Recommend Us
	Search
	Journal
	Your Account

User Info

Membership:

Latest: Meonkzt

New Today: 1

New Yesterday: 2

Overall: 7978

People Online:

Visitors: 231

Members: 2

Total: 233

Online Now:
01: c1ay - Forums
02: ZiPo - Homepage

milw0rm

·[webapps / 0day] - Tube Ace(Adult PHP Tube Script) SQL Injection
·[webapps / 0day] - GAzie <= 5.20 Cross Site Request Forgery
·[dos / poc] - Edraw Diagram Component 5 ActiveX buffer overflow DoS
·[dos / poc] - PHP 5.4.0RC6 64bit Denial of Service
·[dos / poc] - PHP 5.4SVN-2012-02-03 htmlspecialchars/entities Buffer Overflow
·[dos / poc] - torrent-stats httpd.c Denial of Service
·[remote exploits] - Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Execute
·[remote exploits] - Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57
·[dos / poc] - NetSarang Xlpd Printer Daemon 4 Denial of Service Vulnerability
·[dos / poc] - OfficeSIP Server 3.1 Denial Of Service Vulnerability

read more...

PacketStorm News

·Debian Security Advisory 2384-2
·Secunia Security Advisory 47843
·Secunia Security Advisory 47856
·Secunia Security Advisory 47859
·Secunia Security Advisory 47851
·Secunia Security Advisory 47806
·Secunia Security Advisory 47846
·Secunia Security Advisory 47817
·Secunia Security Advisory 47813
·Secunia Security Advisory 47847

read more...

[waraxe-2004-SA#008] - Easy way to get superadmin rights in PhpNuke 6.x-7.1.0

Author: Janek Vind "waraxe"
Date: 16. March 2004
Location: Estonia, Tartu

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is popular freeware content management system, written in php by
Francisco Burzi. This CMS (Content Management System) is used on many thousands
websites, because it`s free of charge, easy to install and has broad set of features.

Homepage: http://phpnuke.org

Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is kind of generic method and it works with many other software too.

First, we must make some posting to the guestbook or forum (PhpBB is integrated to
PhpNuke and in most cases is active module). And besides usual text we use BBcode for
adding "image" with url like that:

admin.php?op=AddAuthor&add_aid=attacker&add_name=God&add_pwd=coolpass&add_email=kala@hot.ee&add_radminsuper=1

For example in forum:

[img]http://www.victim.com/admin.php?op=AddAuthor&add_aid=attacker&add_name=God&add_pwd=coolpass&add_email=kala@hot.ee&add_radminsuper=1[/img]

Now, after posting, we can see "broken" picture, added to our post. And when person with superadmin rights
will browse forum and read this post, then new superadmin account will be created "automatically".
One more way to attack - send u2u message directly to admin and use described method for message.
When admin reads the u2u message - attacker get's superadmin account.

Now, this is of course most simple method to exploit this weakness. If attacker wants to
hide the true meaning of the "image", then lets consider something like this:

[img]http://www.attacker.com/images/pic008.jpg[/img]

Is this somehow suspicious picture url? Nop ;)
But wise attacker will use Apache webserver's advanced features and if client's browser will request picture
from attacker's server, then server just redirects the browser to new, "bad" url ;)

Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to torufoorum staff and to all IT security related people in Estonia! Tervitused!
Special greets to ulljobu!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------

Copyright © by Waraxe IT Security Portal All Right Reserved.

Published on: 2005-01-06 (3700 reads)

Top members by posts

waraxe - 2390

vince213333 - 707

pexli - 663

Mullog - 484

shai-tan - 477

LINUX - 404

Cyko - 353

tsabitah - 328

y3dips - 281

lenny - 275

News @ SecurityFocus

·News: Twitter attacker had proper credentials
·News: PhotoDNA scans images for child abuse
·News: Conficker data highlights infected networks
·News: Popular apps need better patching, says report
·Brief: Google offers bounty on browser bugs
·Brief: Cyberattacks from U.S. "greatest concern"
·Brief: Microsoft patches as fraudsters target IE flaw
·Brief: Attack on IE 0-day refined by researchers
·News: Adobe pushes out Flash security fix
·News: Most consumers reuse banking passwords

read more...

Security Basics

·Verifying my FB page
·Re: Re: Picking a SIEM: How's envision compared with Arcsight?
·Exploit Pack - Hacking Microsoft Word and Excel
·Re: Best Commercial Security Testing tools
·Re: VPN Service
·RE: CISSP online training
·RE: VPN Service
·Re: VPN Service
·Re: VPN Service
·Re: VPN Service

read more...

alexa

Book Opinions
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2010 Janek Vind "waraxe"

Page Generation: 0.097 Seconds