|
-
September 4th, 2002, 09:35 AM
#1
Junior Member
PHP-Nuke Security
Hello,
I heard that a new phpnuke vulnerability has been discovered, which allows the attacker to embed malicious JavaScript code in the private messages that execute XSS attack. So that when the admin opens the message, he will send his cookie with the encoded password.
I'm running phpnuke 5.4. I want this bug to be fixed, and make my web site much secure for guests. I checked the phpnuke website, but, I couldn't find anything that deals with this. Any suggestions?
-
September 4th, 2002, 10:49 AM
#2
Re: PHP-Nuke Security
I have not heard nor did find anything about this vulnerability. Do you have any source or more information ?
Originally posted here by tiger_r_
Hello,
I heard that a new phpnuke vulnerability has been discovered, which allows the attacker to embed malicious JavaScript code in the private messages that execute XSS attack. So that when the admin opens the message, he will send his cookie with the encoded password.
I'm running phpnuke 5.4. I want this bug to be fixed, and make my web site much secure for guests. I checked the phpnuke website, but, I couldn't find anything that deals with this. Any suggestions?
The latest vulnerability for PHP-Nuke I found was (not related to what you tell):
CAN-2002-0483
Summary: index.php for PHP-Nuke 5.4 and earlier allows remote attackers to determine the physical pathname of the web server when the file parameter is set to index.php, which triggers an error message that leaks the pathname.
Published Before: 8/12/2002
Severity: Low
And closest vulnerability I found (similiar but not the same?):
CAN-2001-0911
Summary: PHP-Nuke 5.1 stores user and administrator passwords in a base-64 encoded cookie, which could allow remote attackers to gain privileges by stealing or sniffing the cookie and decoding it.
Published Before: 11/21/2001
Severity: High
And another similiar vulnerability:
CVE-2001-0001
Summary: cookiedecode function in PHP-Nuke 4.4 allows users to bypass authentication and gain access to other user accounts by extracting the authentication information from a cookie.
Published Before: 6/2/2001
Severity: High
Can it be some of these older vulnerabilities you have heard about ?
~micael
-
September 4th, 2002, 03:59 PM
#3
Junior Member
Thanks a lot micael,
This is my source:
http://www.isecurelabs.com/article.php?sid=230
My site is still vulnerable, and I want this bug to be fixed, but it seems to me that they don't supply a patch for fixing this issue.
This is exactly what I've heard about:
CAN-2001-0911
Summary: PHP-Nuke 5.1 stores user and administrator passwords in a base-64 encoded cookie, which could allow remote attackers to gain privileges by stealing or sniffing the cookie and decoding it.
Published Before: 11/21/2001
Severity: High
Thank you,
-
September 4th, 2002, 10:57 PM
#4
Are you sure that the latest version of PHP-Nuke 5.6 still are vulnerable ?
The release date of PHP-Nuke 5.6 is 04-Jun-2002 and the vulnerability from 21-November-2001 and they are speaking about PHP-Nuke 5.1. Since this was (is?) a high severity vulnerability would I be surpriced if they not have fixed it during this time.
Source: http://www.isecurelabs.com/article.php?sid=230
PhpNuke Admin password can be stolen !
Posté le Jeudi, novembre 22 @ 01:11:41 CET par acz
Aurélien Cabezon a découvert une vulnérabilité sur PhpNuke qui permet, en utilisant aussi une vulnérabilité récente d'Internet Explorer de dérober le login/passwd admin d'un site sous phpnuke Ã* son proprietaire.
This is quoted from the article you provided the link to. Its a old article acording to the date and this may already been fixed? Anyway I did some more investigations and found a similiar article were they did describe cookie password and a possible solution.
Source: phpnuke.org
Re: PHP4 Sessioning instead of passwords in cookie? (Score: 1)
by KingRichard on Thursday, August 09 @ 06:21:31 EDT
(User Info | Send a Message) http://www.nukeaddon.com
Simple answer, PHP Nuke support PHP3 and PHP4 unless the admin want to used session then its need PHPLIB which is troublesome in most cases. Unlike PHP4 which support Sessions, however some people still using PHP 3.0.x which will not being able to do it.
Again I like the idea, and maybe you should start a new addon which can be hosted on our CVS at http://sourceforge.net/projects/nukeaddon/
Hope to see you there. You can also email me at rtirtadji@hotmail.com if you need to talk more detail.
My advice send a e-mail to rtirtadji@hotmail.com and ask status of this and upgrade to PHP-Nuke 5.6 and PHP 4.2.2 if you not already are using it  .
~micael
-
September 5th, 2002, 12:56 AM
#5
Yea 5.6 is vulnerable too.
I would suggest to upgrade to 5.6 just because its latest (besides 6beta) and then go to http://www.phpnuke.org/modules.php?n...download&cid=9 and select
PHP-Nuke 5.6 Bug Fixes
Description: Fixes two bugs. One in the banners addition and one security hole in Private Messages.
Version: 5.6 Filesize: 5.51 Kb
Added on: 16-Aug-2002 Downloads: 2433
this will fix it for you
or you could go to http://digital-delusions.dyn.ee/expl...nukesploit.txt and there is instructions on how to fix it manually . This is the person that found the exploit and submitted to bugtraq
Violence breeds violence
we need a world court
not a republican with his hands covered in oil and military hardware lecturing us on world security!
-
September 6th, 2002, 08:26 AM
#6
Junior Member
Thank you all guys for your feedbacks.
I upgraded to PHP-Nuke 5.6 yesterday, and fixed the security hole in private messages.
Now I don’t have to worry about script kiddies
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote