[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
All PHP-Nuke versions affected!!!
Hi!
Recentely the "fixed" version of the user.php script was released.
The vulnerability was reported in the article which can be read in
http://www.phpnuke.org/article.php?sid=251.
This new version though still allows any registered user to alter the
password and other personal details of other registered users.
I have looked at the code and corrected it, although this code is not in
the most optimized form, but it does its job.
This is how the user.php looked like
------
function saveuser($uid, $name, $uname, $email, $femail, $url, $pass,
$vpass, $bio) {
global $user, $cookie, $userinfo, $EditedMessage, $system;
cookiedecode($user);
if ($user AND ($cookie[1] == $uname)) {
...
------
This is my fixed code:
------
function saveuser($uid, $name, $uname, $email, $femail, $url, $pass,
$vpass, $bio) {
global $user, $cookie, $userinfo, $EditedMessage, $system;
cookiedecode($user);
$user_check=$cookie[1];
$result=mysql_query("select uid from users where
uname='$user_check'");
$vuid=mysql_result($result,0,"uid");
if ($user AND ($cookie[1] == $uname) AND ($uid == $vuid)) {
...
------
Probably all the save*() functions have the same bug because they do not
require a valid login to work with, but didn't take the time to check it
all.
Special thanks to:
Tharbad, paran0id, Nevermind and BeBe
My best regards,
Pedro Inacio aka DrBrain
|
