Sign-up

ID

VAR-200602-0353


CVE

CVE-2006-0805


TITLE

PHPNuke Security bypass vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200602-306

DESCRIPTION

The CAPTCHA functionality in php-Nuke 6.0 through 7.9 uses fixed challenge/response pairs that only vary once per day based on the User Agent (HTTP_USER_AGENT), which allows remote attackers to bypass CAPTCHA controls by fixing the User Agent, performing a valid challenge/response, then replaying that pair in the random_num and gfx_check parameters. The CAPTCHA implementation of PHPNuke may be bypassed by remote attackers due to a design error. This may be used to carry out other attacks such as brute-force attempts against the login page. TITLE: PHP-Nuke CAPTCHA Bypass Weakness SECUNIA ADVISORY ID: SA18936 VERIFY ADVISORY: http://secunia.com/advisories/18936/ CRITICAL: Not critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ PHP-Nuke 6.x http://secunia.com/product/329/ DESCRIPTION: Janek Vind "waraxe" has reported a weakness in PHP-Nuke, which can be exploited by malicious people to bypass certain security restrictions. A design error in the CAPTCHA security feature, which relies only on the "sitekey", the User-Agent HTTP header, a random number, and the current date to generate the response code can be exploited to bypass the security feature by replaying any random number and response code pair for the current day. The weakness has been reported in versions 6.0 through 7.9. SOLUTION: Do not rely on the CAPTCHA feature to prevent automated logons to PHP-Nuke. PROVIDED AND/OR DISCOVERED BY: Janek Vind "waraxe" ORIGINAL ADVISORY: http://www.waraxe.us/advisory-45.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.35

sources: NVD: CVE-2006-0805 // BID: 16722 // VULHUB: VHN-16913 // PACKETSTORM: 43986

AFFECTED PRODUCTS

vendor:francisco burzimodel:php-nukescope:eqversion:6.7

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:6.9

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:6.0

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:6.6

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:6.5_rc2

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:6.5_rc3

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:6.5_rc1

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:6.5

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:6.5_beta1

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:6.5_final

Trust: 1.6

vendor:francisco burzimodel:php-nukescope:eqversion:7.1

Trust: 1.0

vendor:francisco burzimodel:php-nukescope:eqversion:7.3

Trust: 1.0

vendor:francisco burzimodel:php-nukescope:eqversion:7.2

Trust: 1.0

vendor:francisco burzimodel:php-nukescope:eqversion:7.8

Trust: 1.0

vendor:francisco burzimodel:php-nukescope:eqversion:7.9

Trust: 1.0

vendor:francisco burzimodel:php-nukescope:eqversion:7.7

Trust: 1.0

vendor:francisco burzimodel:php-nukescope:eqversion:7.0

Trust: 1.0

vendor:francisco burzimodel:php-nukescope:eqversion:7.4

Trust: 1.0

vendor:francisco burzimodel:php-nukescope:eqversion:7.6

Trust: 1.0

vendor:francisco burzimodel:php-nukescope:eqversion:7.5

Trust: 1.0

vendor:francisco burzimodel:php-nukescope:eqversion:7.0_final

Trust: 1.0

vendor:php nukemodel:php-nukescope:eqversion:7.9

Trust: 0.3

vendor:php nukemodel:php-nukescope:eqversion:7.8

Trust: 0.3

vendor:php nukemodel:php-nukescope:eqversion:7.7

Trust: 0.3

vendor:php nukemodel:php-nukescope:eqversion:7.6

Trust: 0.3

vendor:php nukemodel:php-nukescope:eqversion:7.5

Trust: 0.3

vendor:php nukemodel:php-nukescope:eqversion:7.4

Trust: 0.3

vendor:php nukemodel:php-nukescope:eqversion:7.3

Trust: 0.3

vendor:php nukemodel:php-nukescope:eqversion:7.2

Trust: 0.3

vendor:php nukemodel:php-nukescope:eqversion:7.1

Trust: 0.3

vendor:php nukemodel:php-nukescope:eqversion:7.0

Trust: 0.3

sources: BID: 16722 // CNNVD: CNNVD-200602-306 // NVD: CVE-2006-0805

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2006-0805
value: HIGH

Trust: 1.0

CNNVD: CNNVD-200602-306
value: HIGH

Trust: 0.6

VULHUB: VHN-16913
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2006-0805
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-16913
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-16913 // CNNVD: CNNVD-200602-306 // NVD: CVE-2006-0805

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-0805

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200602-306

TYPE

Design Error

Trust: 0.9

sources: BID: 16722 // CNNVD: CNNVD-200602-306

EXPLOIT AVAILABILITY

sources:
            
            
            VULHUB: VHN-16913

EXTERNAL IDS
db:BIDid:16722
Trust: 2.0
db:SECUNIAid:18936
Trust: 1.8
db:NVDid:CVE-2006-0805
Trust: 1.7
db:SREASONid:455
Trust: 1.7
db:CNNVDid:CNNVD-200602-306
Trust: 0.7
db:BUGTRAQid:20060218 [WARAXE-2006-SA#045] - BYPASSING CAPTCHA IN PHPNUKE 6.X-7.9
Trust: 0.6
db:SEEBUGid:SSVID-80866
Trust: 0.1
db:EXPLOIT-DBid:27249
Trust: 0.1
db:VULHUBid:VHN-16913
Trust: 0.1
db:PACKETSTORMid:43986
Trust: 0.1
sources:
            
            
            VULHUB: VHN-16913 // 
            
            
            
            BID: 16722 // 
            
            
            
            PACKETSTORM: 43986 // 
            
            
            
            CNNVD: CNNVD-200602-306 // 
            
            
            
            NVD: CVE-2006-0805

REFERENCES
url:http://www.waraxe.us/advisory-45.html
Trust: 1.8
url:http://www.securityfocus.com/bid/16722
Trust: 1.7
url:http://secunia.com/advisories/18936
Trust: 1.7
url:http://securityreason.com/securityalert/455
Trust: 1.7
url:http://www.securityfocus.com/archive/1/425394/100/0/threaded
Trust: 1.1
url:http://www.securityfocus.com/archive/1/archive/1/425394/100/0/threaded
Trust: 0.6
url:http://www.phpnuke.org
Trust: 0.3
url:/archive/1/425394
Trust: 0.3
url:http://secunia.com/advisories/18936/
Trust: 0.1
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/product/329/
Trust: 0.1
url:http://secunia.com/product/2385/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-16913 // 
            
            
            
            BID: 16722 // 
            
            
            
            PACKETSTORM: 43986 // 
            
            
            
            CNNVD: CNNVD-200602-306 // 
            
            
            
            NVD: CVE-2006-0805

CREDITS
Discovered by Janek Vind "waraxe".
Trust: 0.9
sources:
            
            
            BID: 16722 // 
            
            
            
            CNNVD: CNNVD-200602-306

SOURCES
db:VULHUBid:VHN-16913
db:BIDid:16722
db:PACKETSTORMid:43986
db:CNNVDid:CNNVD-200602-306
db:NVDid:CVE-2006-0805

LAST UPDATE DATE
2024-08-14T14:48:00.473000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-16913date:2018-10-18T00:00:00
db:BIDid:16722date:2006-02-21T17:57:00
db:CNNVDid:CNNVD-200602-306date:2006-02-22T00:00:00
db:NVDid:CVE-2006-0805date:2018-10-18T16:29:06.977

SOURCES RELEASE DATE
db:VULHUBid:VHN-16913date:2006-02-21T00:00:00
db:BIDid:16722date:2006-02-18T00:00:00
db:PACKETSTORMid:43986date:2006-02-20T20:08:24
db:CNNVDid:CNNVD-200602-306date:2006-02-20T00:00:00
db:NVDid:CVE-2006-0805date:2006-02-21T02:02:00