php-nuke.txt

php-nuke bug by Starman_Jones 22/08/00

Disclaimer: I am not responsible for php-nuke.txt

php-nuke bug by Starman_Jones 22/08/00

Disclaimer: I am not responsible for whatever you do with the knowledge
you get from reading this advisorie. I am not telling you to go and post
messages on sites that use PHP-nuke.

Recently there was an advisory on bugtraq about An access validation error
that exists in PHP-nuke Web Portal System. With this bug it is possible
for a remote user to gain administrative privileges.
http://www.target.com/admin.php3?admin=anything

The above example lets you login as the administrator. But you cannot do
anything with that url alone. When you click on anything in the
administrator's control panel you get asked for a username and password.
I have found a way to bypass this.

http://www.example.com/admin.php3?admin=anything&op=PostAdminStory&introtext=evil%20hacker%20message

The Above example lets you post a topic on the main page as an
administrator. You can add html tags to it. And a topic.
To seperate the text you want to display you use '%20' without the ''.
You could also put html in the message and make the whole front page
redirect to some other page. Anyway you get the idea.

You can also edit the existing admin accounts by doing:
http://www.example.com/admin.php3?admin=anything&op=mod_authors

With &op= whatever is in teh administration menu you can control
everything that it lets you. I will not go into anything else. I just
wanted to show you how to post as an administrator and leave the rest up
to you.

The patch for this bug is available at:
http://www.ncc.org.we/php-nuke.php3?op=download&location=http://download.sourceforge.net/phpnuke&file=PHP-Nuke-3.0.tar.gz

You can post this text on any page as long as you give proper credit to
me: Starman_Jones.

Copyright Starman_Jones