All PHP-Nuke versions affected!!!

[Pedro Inacio <pedro.inacio () PTNIX COM>]

Hi!

Recentely the "fixed" version of the user.php script was released.
The vulnerability was reported in the article which can be read in
http://www.phpnuke.org/article.php?sid=251.

This new version though still allows any registered user to alter the
password and other personal details of other registered users.

I have looked at the code and corrected it, although this code is not in
the most optimized form, but it does its job.

This is how the user.php looked like
------
function saveuser($uid, $name, $uname, $email, $femail, $url, $pass,
$vpass, $bio) {
    global $user, $cookie, $userinfo, $EditedMessage, $system;
    cookiedecode($user);
    if ($user AND ($cookie[1] == $uname)) {
    ...
------

This is my fixed code:
------
function saveuser($uid, $name, $uname, $email, $femail, $url, $pass,
$vpass, $bio) {
    global $user, $cookie, $userinfo, $EditedMessage, $system;
    cookiedecode($user);
    $user_check=$cookie[1];
    $result=mysql_query("select uid from users where
uname='$user_check'");
    $vuid=mysql_result($result,0,"uid");
    if ($user AND ($cookie[1] == $uname) AND ($uid == $vuid)) {
    ...
------


Probably all the save*() functions have the same bug because they do not
require a valid login to work with, but didn't take the time to check it
all.


Special thanks to:

Tharbad, paran0id, Nevermind and BeBe


My best regards,

Pedro Inacio aka DrBrain