************************************************************** * CODEBUG Labs * Advisory #2 * Title: DelAdmin Bug * Author: Pierquinto 'Mantra' Manco * Product: PHP-Nuke 7.4 * Type: XSS * Web: http://www.mantralab.org * ************************************************************** Delete Admin Bug - ) Description PHP-Nuke is a very bugged web CMS, version 7.4 has critical XSS bug that permit to an attacker to delete any Admin account except God admin. This bug is very old too but we can bypass the patch sending data by POST instead of GET. - ) Proof-of-Concept Create a HTML file with this lines:
USERNAME:


- ) Patch Apply this code to your admin.php file: if ( !empty($HTTP_GET_VARS['op']) ) { $op = $HTTP_GET_VARS['op']; } if ( !empty($HTTP_POST_VARS['op']) ) { $op = $HTTP_POST_VARS['op']; } -) Note There are a lot of this problem in PHP-Nuke 7.4, my patch will check the content of $_POST[op] and $_GET[op]. I'm going to post all this vulnerabilities on my site... http://www.mantralab.org ************************************************************** http://www.mantralab.org **************************************************************