发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-05 16:21:47

[原文]admin.php3 in PHP-Nuke does not properly verify the PHP-Nuke administrator password, which allows remote attackers to gain privileges by requesting a URL that does not specify the aid or pwd parameter.

[CNNVD]PHP-Nuke admin.php3特权提升漏洞(CNNVD-200010-111)


- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  BUGTRAQ  20000821 Vuln. in all sites using PHP-Nuke, versions less than 3

- 漏洞信息

PHP-Nuke admin.php3特权提升漏洞
高危 未知
2000-10-20 00:00:00 2005-08-17 00:00:00

- 公告与补丁


- 漏洞信息 (20158)

PHP-Nuke 1.0/2.5 Administrative Privileges Vulnerability (EDBID:20158)
php webapps
2000-08-21 Verified
0 bruj0
N/A [点击下载]

PHP-Nuke is a website creation/maintainence tool written in PHP3. It is possible to elevate priviliges in this system from normal user to administrator due to a flaw in authentication code. The problem occurs here:

$aid = variable holding author name, pwd = author password

$result=mysql_query("select pwd from authors where aid='$aid'");
if(!$result) {
echo "Selection from database failed!";
} else {

if($pass == $pwd) {
$admintest = 1;

First off, the code checks to make sure the query passed to mysql_query is legal. There are no checks to see whether any rows are returned (whether any authors match $aid..). Then, the password given is compared to the result of the above query. If the author doesn't match, mysql_fetch_row returns FALSE. This is where the problem occurs. A NULL string is logically equal to FALSE and thus if an empty string is supplied as password, the condition tested for above (the if($pass == $pwd)) is met and admintest is set to 1 (TRUE). The user is then able to perform all administrative functions.


- 漏洞信息

PHP-Nuke admin.php3 Gain Administrative Privilege
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

PHP-Nuke contains a flaw that may allow a malicious user to gain administrative privileges. The issue is triggered when a specially crafted URL is sent to the server, which exploits a flaw in admin.php3. It is possible that the flaw may allow an attacker to take control of the system resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2000-08-20 2000-08-20
Unknow Unknow

- 解决方案

Upgrade to version 3.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete