Flatnuke3 suffers from remote cookie manipulation and privilege escalation vulnerabilities.
5fb21f33a6f7431df6408c27baa203db2b9e93b5f3b0fd19bec1aeab85d55414---------------------------------------------------------------
____ __________ __ ____ __
/_ | ____ |__\_____ \ _____/ |_ /_ |/ |_
| |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\
| | | \ | |/ \ \___| | /_____/ | || |
|___|___| /\__| /______ /\___ >__| |___||__|
\/\______| \/ \/
---------------------------------------------------------------
Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org
---------------------------------------------------------------
Flatnuke3 Remote Cookie Manipoulation / Privilege Escalation
---------------------------------------------------------------
#By KiNgOfThEwOrLd
---------------------------------------------------------------
PoC:
When an user log in, flatnuke set him a cookie value like this:
myforum=nomeuser. If we try to change it, flatnuke will ask us to log in again.
The code is:
$req = $_SERVER["REQUEST_URI"];
if (strstr($req, "myforum="))
die(_NONPUOI);
So, we can bypass this filter, using nullbyte and login as admin. For example,
Replace:
myforum=yourusername
with:
myforum%00=adminusername
PHP Execution PoC:
I saw that in download module, if we set to "1" the fneditmode, we can make
directory. So, we can write a description for the directory, and this
description will be saved in /Download/[Dir_Name]/description.it.php . Yes, we
can insert php code in the description and it will be execute! Nice, dontcha? :
P
---------------------------------------------------------------
Original here: http://www.inj3ct-it.org/exploit/flatnuke3-cm.txt
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed