PHP Nuke Weak Encryption In User Cookie Vulnerability

PHP-Nuke is a popular web based Portal system. It allows users to create accounts and contribute content to the site.

When a user authenticates to a PHP-Nuke based page, a cookie is created which includes that user's account name and password. This password is encoded using Base 64 encoding, and can be immediately decoded by anyone with access to the cookies contents. This, an attacker able to gain access to this cookie may trivially learn the user's account name and password, and compromise that account.

Older versions of PHP-Nuke may also be vulnerable. PostNuke 0.6.4(and possibly earlier versions) is also vulnerable.


Privacy Statement
Copyright 2010, SecurityFocus