Your Account module security holes

Posted on Thursday, May 27, 2004 @ 16:22:26 CDT in Security
by Raven

BobMarion writes:  
This was uncovered by NSN Sentinelâ„¢ when applied to the test sites.

In Your Account's index.php file you will find 4 placements of:
getusrinfo($user);
if (($userinfo[username] != $cookie[1]) AND ($userinfo[user_password] != $cookie[2])) {

These should be:
cookiedecode($user);
getusrinfo($user);
if ((is_user($user)) AND ($userinfo['username'] == $cookie[1]) AND ($userinfo['user_password'] == $cookie[2])) {

Note:
Admin note: Code updated 5/28/04, our thanks to Dogman.
 
 
click Related        click Share
 
 
Associated Topics

Bugs - Fixed
 
 

Re: Your Account module security holes (Score: 1)
by blith on Thursday, May 27, 2004 @ 16:46:06 CDT

(User Info | Send a Message) http://www.vfwpost2876.com

In my index.php there were nine (9) instances of the second string. Thanks for the heads up!
Re: Your Account module security holes (Score: 1)
by TheShniz on Friday, May 28, 2004 @ 13:39:46 CDT
(User Info | Send a Message)

I had 9x instances of getusrinfo($user); in a patched copy of 7.3, but only 4x were as described, just as they should...

The other 5x should B:

3x of:
getusrinfo($user);
docookie($userinfo[user_id],$userinfo[username],$userinfo[user_password],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);

2x of:
getusrinfo($user);
cookiedecode($user);

Those 5x wouldn't apply 2 the "plug" tho.

 
 

Re: Your Account module security holes (Score: 1)
by speedx on Thursday, May 27, 2004 @ 18:11:38 CDT

(User Info | Send a Message) http://www.nukenews.ca.tt

In the $userinfo = getusrinfo($user);"
should there be the close quotes? after the ;"
 
 

Re: Your Account module security holes (Score: 1)
by speedx on Thursday, May 27, 2004 @ 18:15:33 CDT

(User Info | Send a Message) http://www.nukenews.ca.tt

after i did this fix and went to my account i get this error Parse error: parse error, unexpected T_STRING in /html/modules/Your_Account/index.php on line 812

line 812 is $sqlvu = "SELECT user_question, user_answer FROM ".$prefix."_users_verify WHERE username='$userinfo[username]'";
Re: Your Account module security holes (Score: 1)
by speedx on Thursday, May 27, 2004 @ 18:17:06 CDT
(User Info | Send a Message) http://www.nukenews.ca.tt

I have the secret question and answer if the user forgets the password, and this looks like it is interfering with it.

 
 

Re: Your Account module security holes (Score: 1)
by chatserv on Thursday, May 27, 2004 @ 18:33:34 CDT

(User Info | Send a Message) http://www.scriptheaven.net

Please read the article again, the code has been changed.
Re: Your Account module security holes (Score: 1)
by speedx on Thursday, May 27, 2004 @ 18:41:30 CDT
(User Info | Send a Message) http://www.nukenews.ca.tt

ok that works better, thanks chatserv

Re: Your Account module security holes (Score: 1)
by Raven on Friday, May 28, 2004 @ 12:34:20 CDT
(User Info | Send a Message)

Also, please post your bugs, issues, etc. in the Sentinel forum. Thanks!

 
 

Re: Your Account module security holes (Score: 1)
by Tank863 on Thursday, May 27, 2004 @ 22:20:50 CDT

(User Info | Send a Message)

What if you have NSN's Your Account Version 3.2.0 Alpha... do these exploits exist?

Re: Your Account module security holes (Score: 1)
by BobMarion (webmaster@nukescripts.net) on Friday, May 28, 2004 @ 02:07:04 CDT
(User Info | Send a Message) http://www.nukescripts.net

You will need to check your copy. Not all of the NSNYA's had this patched previously.

 
 

Re: Your Account module security holes (Score: 1)
by Dogman on Friday, May 28, 2004 @ 03:05:29 CDT

(User Info | Send a Message)

I applied this Fix in a unpatched PHPNuke 7.2

If you have this: "modules.php?name=Your_Account&op=edithome", or this:"modules.php?name=Your_Account&op=edituser" or put this directly in the Adressfield of your Browser ( as Anonymous ) you will directly get in your UserControlPanel...

Not allready as User, but anyway...

As an suggestion:

Shouldn't the line of Code in the "function edituser(...)" and "function "function edithome(...)" be like this:

"if ((is_user($user)) AND ($userinfo[username] == $cookie[1]) AND ($userinfo[user_password] == $cookie[2])) {"

Re: Your Account module security holes (Score: 1)
by Raven on Friday, May 28, 2004 @ 07:08:31 CDT
(User Info | Send a Message)

Thanks Dogman. Someone will get back to you just ASAP!

Re: Your Account module security holes (Score: 1)
by chatserv on Friday, May 28, 2004 @ 09:32:23 CDT
(User Info | Send a Message) http://www.scriptheaven.net

I can't check this right now as i am heading out but you could try changing the line to:

if ((is_user($user)) AND ($userinfo['username'] == $cookie[1]) AND ($userinfo['user_password'] == $cookie[2])) {

Just make sure the function's global line includes $user

Re: Your Account module security holes (Score: 1)
by chatserv on Friday, May 28, 2004 @ 09:41:20 CDT
(User Info | Send a Message) http://www.scriptheaven.net

Code verified, Dogman is correct.

 
News ©

Site Info

Last SeenLast Seen
  • neralex
  • misterstereus
Server TrafficServer Traffic
  • Total: 498,741,131
  • Today: 116,653
Server InfoServer Info
  • Feb 11, 2025
  • 11:05 am CST
 
 

Site Navigation