php-nuke bug by Starman_Jones 22/08/00


Disclaimer: I am not responsible for whatever you do with
the knowledge you get from reading this advisorie. I am
not telling you to go and post messages on sites that use
PHP-nuke.


Recently there was an advisory on bugtraq about An access
validation error that exists in PHP-nuke Web Portal System.
With this bug it is possible for a remote user to gain
administrative privileges.


http://www.target.com/admin.php3?admin=anything


The above example lets you login as the administrator. But
you cannot do anything with that url alone. When you click
on anything in the administrator's control panel you get
asked for a username and password. I have found a way to
bypass this.


http://www.example.com/admin.php3?admin=anything&op=\
PostAdminStory&introtext=evil%20hacker%20message

The Above example lets you post a topic on the main page
as an administrator. You can add html tags to it. And a
topic. To seperate the text you want to display you use
'%20' without the ''. You could also put html in the message
and make the whole front page redirect to some other page.
Anyway you get the idea.

You can also edit the existing admin accounts by doing:
http://www.example.com/admin.php3?admin=anything&op=mod_authors

With &op= whatever is in teh administration menu you can
control everything that it lets you. I will not go into
anything else. I just wanted to show you how to post as
an administrator and leave the rest up to you.

The patch for this bug is available at:
http://www.ncc.org.we/php-nuke.php3?op=download&location\
=http://download.sourceforge.net/phpnuke&file=PHP-Nuke-3.0.tar.gz

You can post this text on any page as long as you give proper
credit to me, Starman_Jones.

                         Copyright Starman_Jones