Vulnerability Details: - Title: Admin-level authentication bypass in phpnuke 6.x-7.2 - Author: Janek Vind "waraxe" - Date: 12 April 2004 - Location: Estonia, Tartu - Website: http://www.waraxe.us/index.php?modname=sa&id=18 Affected Software: - Description: Php-Nuke is a popular content management system written in PHP by Francisco Burzzi. It is used on many Thousands of websites due to its free license, ease of installation, and broad feature set. Vulnerabilities: - Key Point: The base64decoded variable "admin" from cookie will be exploited to components - admin id and password's md5 hash. As always with base64 encode/decode operation, care must be taken with special symbols, like single quotes. Before using the base64decoded information, addslashes() function must be used. Exploit Details: - Insecure HTTP Headers: The variable $aWhen is used in an SQL query - classical SQL injection case. - Exploit Steps: 1. SQL Injection: Use the $admin variable through GET request because it's simpler than using cookies. 2. Initial Authentication Bypass: Construct "cookie" in the format like this: "%20OR%20%27x%20OR%20%27y" 3. SQL Query Manipulation: The $admin variable is used unsanitized, allowing for SQL injection. 4. Circumventing Filter: Use a filter to construct "cookie" like this: "%20UNION%20SELECT%201%20%23" 5. Second Authentication Bypass: Successfully bypass the second authentication step by setting the variable $rdminsuper to have the value "1".