PHP-Nuke Security
Results 1 to 6 of 6

Thread: PHP-Nuke Security

  1. #1
    Junior Member
    Join Date
    May 2002
    Posts
    9

    PHP-Nuke Security

    Hello,

    I heard that a new phpnuke vulnerability has been discovered, which allows the attacker to embed malicious JavaScript code in the private messages that execute XSS attack. So that when the admin opens the message, he will send his cookie with the encoded password.

    I'm running phpnuke 5.4. I want this bug to be fixed, and make my web site much secure for guests. I checked the phpnuke website, but, I couldn't find anything that deals with this. Any suggestions?

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    742

    Re: PHP-Nuke Security

    I have not heard nor did find anything about this vulnerability. Do you have any source or more information ?

    Originally posted here by tiger_r_
    Hello,

    I heard that a new phpnuke vulnerability has been discovered, which allows the attacker to embed malicious JavaScript code in the private messages that execute XSS attack. So that when the admin opens the message, he will send his cookie with the encoded password.

    I'm running phpnuke 5.4. I want this bug to be fixed, and make my web site much secure for guests. I checked the phpnuke website, but, I couldn't find anything that deals with this. Any suggestions?
    The latest vulnerability for PHP-Nuke I found was (not related to what you tell):

    CAN-2002-0483
    Summary: index.php for PHP-Nuke 5.4 and earlier allows remote attackers to determine the physical pathname of the web server when the file parameter is set to index.php, which triggers an error message that leaks the pathname.
    Published Before: 8/12/2002
    Severity: Low
    And closest vulnerability I found (similiar but not the same?):

    CAN-2001-0911
    Summary: PHP-Nuke 5.1 stores user and administrator passwords in a base-64 encoded cookie, which could allow remote attackers to gain privileges by stealing or sniffing the cookie and decoding it.
    Published Before: 11/21/2001
    Severity: High
    And another similiar vulnerability:

    CVE-2001-0001
    Summary: cookiedecode function in PHP-Nuke 4.4 allows users to bypass authentication and gain access to other user accounts by extracting the authentication information from a cookie.
    Published Before: 6/2/2001
    Severity: High
    Can it be some of these older vulnerabilities you have heard about ?

    ~micael

  3. #3
    Junior Member
    Join Date
    May 2002
    Posts
    9
    Thanks a lot micael,

    This is my source:
    http://www.isecurelabs.com/article.php?sid=230

    My site is still vulnerable, and I want this bug to be fixed, but it seems to me that they don't supply a patch for fixing this issue.

    This is exactly what I've heard about:
    CAN-2001-0911
    Summary: PHP-Nuke 5.1 stores user and administrator passwords in a base-64 encoded cookie, which could allow remote attackers to gain privileges by stealing or sniffing the cookie and decoding it.
    Published Before: 11/21/2001
    Severity: High
    Thank you,

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    Are you sure that the latest version of PHP-Nuke 5.6 still are vulnerable ?

    The release date of PHP-Nuke 5.6 is 04-Jun-2002 and the vulnerability from 21-November-2001 and they are speaking about PHP-Nuke 5.1. Since this was (is?) a high severity vulnerability would I be surpriced if they not have fixed it during this time.

    Source: http://www.isecurelabs.com/article.php?sid=230
    PhpNuke Admin password can be stolen !
    Posté le Jeudi, novembre 22 @ 01:11:41 CET par acz

    Aurélien Cabezon a découvert une vulnérabilité sur PhpNuke qui permet, en utilisant aussi une vulnérabilité récente d'Internet Explorer de dérober le login/passwd admin d'un site sous phpnuke à son proprietaire.
    This is quoted from the article you provided the link to. Its a old article acording to the date and this may already been fixed? Anyway I did some more investigations and found a similiar article were they did describe cookie password and a possible solution.

    Source: phpnuke.org
    Re: PHP4 Sessioning instead of passwords in cookie? (Score: 1)
    by KingRichard on Thursday, August 09 @ 06:21:31 EDT
    (User Info | Send a Message) http://www.nukeaddon.com
    Simple answer, PHP Nuke support PHP3 and PHP4 unless the admin want to used session then its need PHPLIB which is troublesome in most cases. Unlike PHP4 which support Sessions, however some people still using PHP 3.0.x which will not being able to do it.

    Again I like the idea, and maybe you should start a new addon which can be hosted on our CVS at http://sourceforge.net/projects/nukeaddon/

    Hope to see you there. You can also email me at rtirtadji@hotmail.com if you need to talk more detail.
    My advice send a e-mail to rtirtadji@hotmail.com and ask status of this and upgrade to PHP-Nuke 5.6 and PHP 4.2.2 if you not already are using it .

    ~micael

  5. #5
    Senior Member
    Join Date
    Dec 2001
    Posts
    304
    Yea 5.6 is vulnerable too.

    I would suggest to upgrade to 5.6 just because its latest (besides 6beta) and then go to http://www.phpnuke.org/modules.php?n...download&cid=9 and select


    PHP-Nuke 5.6 Bug Fixes
    Description: Fixes two bugs. One in the banners addition and one security hole in Private Messages.
    Version: 5.6 Filesize: 5.51 Kb
    Added on: 16-Aug-2002 Downloads: 2433

    this will fix it for you

    or you could go to http://digital-delusions.dyn.ee/expl...nukesploit.txt and there is instructions on how to fix it manually . This is the person that found the exploit and submitted to bugtraq
    Violence breeds violence
    we need a world court
    not a republican with his hands covered in oil and military hardware lecturing us on world security!

  6. #6
    Junior Member
    Join Date
    May 2002
    Posts
    9
    Thank you all guys for your feedbacks.

    I upgraded to PHP-Nuke 5.6 yesterday, and fixed the security hole in private messages.

    Now I don’t have to worry about script kiddies

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •