RE: PHP-Nuke & Post-Nuke account hijacking.

["Chris Bradford" <stuff () snowjournal com>]

Some version information would be helpful.  Since I work with many *nuke
systems, my best guess is that this vulnerability is only valid in the
PHPNuke 5.x series.  PostNuke .70x series might be vulnerable.  The .70x
series is somewhat similar to the PHPNuke 5.x series.

PostNuke version .64 isn't vulnerable, and I've looked at the newest
Postnuke .71 and it isn't vulnerable either.

regards

--csb


-----Original Message-----
From: Handle Nopman [mailto:nopman () hackermail com]
Sent: Sunday, March 17, 2002 10:57 AM
To: bugtraq () securityfocus com
Subject: PHP-Nuke & Post-Nuke account hijacking.


Hi all BugTraq readers!

I've found a bug in PHP-Nuke and Post-Nuke that allows
one to hijack other accounts.

Code in modules/News/article.php:
if ($save AND is_user($user)) {
    cookiedecode($user);
    sql_query("update ".$user_prefix."_users set umode='$mode',
uorder='$order', thold='$thold' where uid='$cookie[0]'", $dbi);
    getusrinfo($user);
    $info =
base64_encode("$userinfo[uid]:$userinfo[uname]:$userinfo[pass]:$userinfo[sto
rynum]:$userinfo[umode]:$userinfo[uorder]:$userinfo[thold]:$userinfo[noscore
]");
    setcookie("user","$info",time()+$cookieusrtime);
}

This code snippet cheks if user is logged in and allows he
to change his mode,order and thold, then the code sends
the cookie back with modified data.

There is a bug. Code checks if user is logged in by is_user,
but it uses getusrinfo to send the data back. Function
is_user verifies the cookie by checking that UID and password
match, but getusrinfo gets the data by using USERNAME and password
and the getusrinfo uses insecure SQL call.

So by specifying valid UID and PASSWORD combination one can
get round the is_user check and his username is passed without any
verification to insecure SQL call. By specifying specially crafted
username one can fool the SQL call to return another users data.

To exploit this vulnerability one must create an account into
the target site, base64_decode his cookie,modify the username
in the cookie to inject SQL,base64_encode his cookie and pass
it with save=1 to article.php (which must be done throught
modules.php)

Post-Nuke is vulnerable to this too.

Vendor Status
I contacted Francisco Burzi over 2 weeks ago and he did not reply.
I delayed the relase because I found out that Post-Nuke has this
bug too. I contacted authors of Post-Nuke and they replyed almost
immediatly and a fixed version is now available.

Post-Nuke users should upgrade to the most recent version.

Best Regards,
"NopMan"
--

Powered by Outblaze