ID
VAR-200010-0125
CVE
CVE-2000-0745
TITLE
PHP-Nuke admin.php3 Privilege escalation vulnerability
Trust: 0.6
DESCRIPTION
admin.php3 in PHP-Nuke does not properly verify the PHP-Nuke administrator password, which allows remote attackers to gain privileges by requesting a URL that does not specify the aid or pwd parameter. PHP-Nuke is a website creation/maintainence tool written in PHP3. It is possible to elevate priviliges in this system from normal user to administrator due to a flaw in authentication code. The problem occurs here: $aid = variable holding author name, pwd = author password $result=mysql_query("select pwd from authors where aid='$aid'"); if(!$result) { echo "Selection from database failed!"; exit; } else { list($pass)=mysql_fetch_row($result); if($pass == $pwd) { $admintest = 1; } } First off, the code checks to make sure the query passed to mysql_query is legal. There are no checks to see whether any rows are returned (whether any authors match $aid..). Then, the password given is compared to the result of the above query. If the author doesn't match, mysql_fetch_row returns FALSE. This is where the problem occurs. A NULL string is logically equal to FALSE and thus if an empty string is supplied as password, the condition tested for above (the if($pass == $pwd)) is met and admintest is set to 1 (TRUE). The user is then able to perform all administrative functions
Trust: 1.26
AFFECTED PRODUCTS
| vendor: | francisco burzi | model: | php-nuke | scope: | eq | version: | 2.5 | Trust: 1.6 |
| vendor: | francisco burzi | model: | php-nuke | scope: | eq | version: | 1.0 | Trust: 1.6 |
| vendor: | francisco | model: | burzi php-nuke | scope: | eq | version: | 2.5 | Trust: 0.3 |
| vendor: | francisco | model: | burzi php-nuke | scope: | eq | version: | 1.0 | Trust: 0.3 |
| vendor: | francisco | model: | burzi php-nuke | scope: | ne | version: | 3.0 | Trust: 0.3 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | NVD-CWE-Other | Trust: 1.0 |
THREAT TYPE
remote
Trust: 0.6
TYPE
unknown
Trust: 0.6
EXPLOIT AVAILABILITY
EXTERNAL IDS
| db: | BID | id: | 1592 | Trust: 2.0 |
| db: | OSVDB | id: | 1521 | Trust: 1.7 |
| db: | NVD | id: | CVE-2000-0745 | Trust: 1.7 |
| db: | CNNVD | id: | CNNVD-200010-111 | Trust: 0.7 |
| db: | BUGTRAQ | id: | 20000821 VULN. IN ALL SITES USING PHP-NUKE, VERSIONS LESS THAN 3 | Trust: 0.6 |
| db: | SEEBUG | id: | SSVID-74047 | Trust: 0.1 |
| db: | EXPLOIT-DB | id: | 20158 | Trust: 0.1 |
| db: | VULHUB | id: | VHN-2322 | Trust: 0.1 |
REFERENCES
| url: | http://www.securityfocus.com/bid/1592 | Trust: 1.7 |
| url: | http://archives.neohapsis.com/archives/bugtraq/2000-08/0243.html | Trust: 1.7 |
| url: | http://www.osvdb.org/1521 | Trust: 1.7 |
| url: | http://www.ncc.org.ve/php-nuke.php3?op=english | Trust: 0.3 |
CREDITS
Discovered and posted to Bugtraq on Aug 21, 2000 by bruj0@securityportal.com.ar. More information was provided by Starman_Jones in his post to Bugtraq on August 23, 2000.
Trust: 0.3
SOURCES
| db: | VULHUB | id: | VHN-2322 |
| db: | BID | id: | 1592 |
| db: | CNNVD | id: | CNNVD-200010-111 |
| db: | NVD | id: | CVE-2000-0745 |
LAST UPDATE DATE
2024-08-14T15:36:15.876000+00:00
SOURCES UPDATE DATE
| db: | VULHUB | id: | VHN-2322 | date: | 2008-09-05T00:00:00 |
| db: | BID | id: | 1592 | date: | 2000-08-21T00:00:00 |
| db: | CNNVD | id: | CNNVD-200010-111 | date: | 2005-08-17T00:00:00 |
| db: | NVD | id: | CVE-2000-0745 | date: | 2008-09-05T20:21:47.060 |
SOURCES RELEASE DATE
| db: | VULHUB | id: | VHN-2322 | date: | 2000-10-20T00:00:00 |
| db: | BID | id: | 1592 | date: | 2000-08-21T00:00:00 |
| db: | CNNVD | id: | CNNVD-200010-111 | date: | 2000-10-20T00:00:00 |
| db: | NVD | id: | CVE-2000-0745 | date: | 2000-10-20T04:00:00 |