All PHP-Nuke versions affected!!!

2000-11-13T00:00:00
ID SECURITYVULNS:DOC:915
Type securityvulns
Reporter Securityvulns
Modified 2000-11-13T00:00:00

Description

Hi!

Recentely the "fixed" version of the user.php script was released. The vulnerability was reported in the article which can be read in http://www.phpnuke.org/article.php?sid=251.

This new version though still allows any registered user to alter the password and other personal details of other registered users.

I have looked at the code and corrected it, although this code is not in the most optimized form, but it does its job.

This is how the user.php looked like

function saveuser($uid, $name, $uname, $email, $femail, $url, $pass, $vpass, $bio) { global $user, $cookie, $userinfo, $EditedMessage, $system; cookiedecode($user); if ($user AND ($cookie[1] == $uname)) { ...


This is my fixed code:

function saveuser($uid, $name, $uname, $email, $femail, $url, $pass, $vpass, $bio) { global $user, $cookie, $userinfo, $EditedMessage, $system; cookiedecode($user); $user_check=$cookie[1]; $result=mysql_query("select uid from users where uname='$user_check'"); $vuid=mysql_result($result,0,"uid"); if ($user AND ($cookie[1] == $uname) AND ($uid == $vuid)) { ...


Probably all the save*() functions have the same bug because they do not require a valid login to work with, but didn't take the time to check it all.

Special thanks to:

Tharbad, paran0id, Nevermind and BeBe

My best regards,

Pedro Inacio aka DrBrain