Bugtraq mailing list archives
All PHP-Nuke versions affected!!!
From: Pedro Inacio <pedro.inacio () PTNIX COM>
Date: Sat, 11 Nov 2000 23:08:08 +0000
Hi! Recentely the "fixed" version of the user.php script was released. The vulnerability was reported in the article which can be read in http://www.phpnuke.org/article.php?sid=251. This new version though still allows any registered user to alter the password and other personal details of other registered users. I have looked at the code and corrected it, although this code is not in the most optimized form, but it does its job. This is how the user.php looked like ------ function saveuser($uid, $name, $uname, $email, $femail, $url, $pass, $vpass, $bio) { global $user, $cookie, $userinfo, $EditedMessage, $system; cookiedecode($user); if ($user AND ($cookie[1] == $uname)) { ... ------ This is my fixed code: ------ function saveuser($uid, $name, $uname, $email, $femail, $url, $pass, $vpass, $bio) { global $user, $cookie, $userinfo, $EditedMessage, $system; cookiedecode($user); $user_check=$cookie[1]; $result=mysql_query("select uid from users where uname='$user_check'"); $vuid=mysql_result($result,0,"uid"); if ($user AND ($cookie[1] == $uname) AND ($uid == $vuid)) { ... ------ Probably all the save*() functions have the same bug because they do not require a valid login to work with, but didn't take the time to check it all. Special thanks to: Tharbad, paran0id, Nevermind and BeBe My best regards, Pedro Inacio aka DrBrain
Current thread:
- All PHP-Nuke versions affected!!! Pedro Inacio (Nov 13)