CVE-2000-0745
CVSS7.5
发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-05 16:21:47
NMCOE    

[原文]admin.php3 in PHP-Nuke does not properly verify the PHP-Nuke administrator password, which allows remote attackers to gain privileges by requesting a URL that does not specify the aid or pwd parameter.


[CNNVD]PHP-Nuke admin.php3特权提升漏洞(CNNVD-200010-111)

        PHP-Nuke中admin.php3不能正确核实PHP-Nuke管理员密码,远程攻击者可以通过请求不指定aid或pwd参数的URL来提升特权。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:francisco_burzi:php-nuke:1.0
cpe:/a:francisco_burzi:php-nuke:2.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0745
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0745
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200010-111
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1592
(VENDOR_ADVISORY)  BID  1592
http://archives.neohapsis.com/archives/bugtraq/2000-08/0243.html
(VENDOR_ADVISORY)  BUGTRAQ  20000821 Vuln. in all sites using PHP-Nuke, versions less than 3
http://www.osvdb.org/1521
(UNKNOWN)  OSVDB  1521

- 漏洞信息

PHP-Nuke admin.php3特权提升漏洞
高危 未知
2000-10-20 00:00:00 2005-08-17 00:00:00
远程  
        PHP-Nuke中admin.php3不能正确核实PHP-Nuke管理员密码,远程攻击者可以通过请求不指定aid或pwd参数的URL来提升特权。

- 公告与补丁

        

- 漏洞信息 (20158)

PHP-Nuke 1.0/2.5 Administrative Privileges Vulnerability (EDBID:20158)
php webapps
2000-08-21 Verified
0 bruj0
N/A [点击下载]
source: http://www.securityfocus.com/bid/1592/info

PHP-Nuke is a website creation/maintainence tool written in PHP3. It is possible to elevate priviliges in this system from normal user to administrator due to a flaw in authentication code. The problem occurs here:

$aid = variable holding author name, pwd = author password

$result=mysql_query("select pwd from authors where aid='$aid'");
if(!$result) {
echo "Selection from database failed!";
exit;
} else {
list($pass)=mysql_fetch_row($result);

if($pass == $pwd) {
$admintest = 1;
}
}

First off, the code checks to make sure the query passed to mysql_query is legal. There are no checks to see whether any rows are returned (whether any authors match $aid..). Then, the password given is compared to the result of the above query. If the author doesn't match, mysql_fetch_row returns FALSE. This is where the problem occurs. A NULL string is logically equal to FALSE and thus if an empty string is supplied as password, the condition tested for above (the if($pass == $pwd)) is met and admintest is set to 1 (TRUE). The user is then able to perform all administrative functions.

http://target/admin.php3?admin=any_data		

- 漏洞信息

1521
PHP-Nuke admin.php3 Gain Administrative Privilege
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

PHP-Nuke contains a flaw that may allow a malicious user to gain administrative privileges. The issue is triggered when a specially crafted URL is sent to the server, which exploits a flaw in admin.php3. It is possible that the flaw may allow an attacker to take control of the system resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2000-08-20 2000-08-20
Unknow Unknow

- 解决方案

Upgrade to version 3.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站