header-logo
Suggest Exploit
vendor:
PHP-Nuke
by:
SecurityFocus
7.5
CVSS
HIGH
Authentication Bypass
287
CWE
Product Name: PHP-Nuke
Affected Version From: PHP-Nuke 6.0
Affected Version To: PHP-Nuke 6.5
Patch Exists: YES
Related CWE: N/A
CPE: a:phpnuke:php-nuke
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2002

PHP-Nuke Authentication Bypass Vulnerability

PHP-Nuke is a website creation/maintainence tool written in PHP3. It is possible to elevate priviliges in this system from normal user to administrator due to a flaw in authentication code. The problem occurs when the code checks to make sure the query passed to mysql_query is legal, but there are no checks to see whether any rows are returned (whether any authors match $aid..). Then, the password given is compared to the result of the above query. If the author doesn't match, mysql_fetch_row returns FALSE. This is where the problem occurs. A NULL string is logically equal to FALSE and thus if an empty string is supplied as password, the condition tested for above (the if($pass == $pwd)) is met and admintest is set to 1 (TRUE). The user is then able to perform all administrative functions.

Mitigation:

Ensure that the authentication code is properly checked and that the user is properly authenticated before granting access to the system.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1592/info

PHP-Nuke is a website creation/maintainence tool written in PHP3. It is possible to elevate priviliges in this system from normal user to administrator due to a flaw in authentication code. The problem occurs here:

$aid = variable holding author name, pwd = author password

$result=mysql_query("select pwd from authors where aid='$aid'");
if(!$result) {
echo "Selection from database failed!";
exit;
} else {
list($pass)=mysql_fetch_row($result);

if($pass == $pwd) {
$admintest = 1;
}
}

First off, the code checks to make sure the query passed to mysql_query is legal. There are no checks to see whether any rows are returned (whether any authors match $aid..). Then, the password given is compared to the result of the above query. If the author doesn't match, mysql_fetch_row returns FALSE. This is where the problem occurs. A NULL string is logically equal to FALSE and thus if an empty string is supplied as password, the condition tested for above (the if($pass == $pwd)) is met and admintest is set to 1 (TRUE). The user is then able to perform all administrative functions.

http://target/admin.php3?admin=any_data

Navigation

Suggest Exploit

Services By CQR