var-200602-0353
Vulnerability from variot
The CAPTCHA functionality in php-Nuke 6.0 through 7.9 uses fixed challenge/response pairs that only vary once per day based on the User Agent (HTTP_USER_AGENT), which allows remote attackers to bypass CAPTCHA controls by fixing the User Agent, performing a valid challenge/response, then replaying that pair in the random_num and gfx_check parameters. The CAPTCHA implementation of PHPNuke may be bypassed by remote attackers due to a design error. This may be used to carry out other attacks such as brute-force attempts against the login page.
TITLE: PHP-Nuke CAPTCHA Bypass Weakness
SECUNIA ADVISORY ID: SA18936
VERIFY ADVISORY: http://secunia.com/advisories/18936/
CRITICAL: Not critical
IMPACT: Security Bypass
WHERE:
From remote
SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ PHP-Nuke 6.x http://secunia.com/product/329/
DESCRIPTION: Janek Vind "waraxe" has reported a weakness in PHP-Nuke, which can be exploited by malicious people to bypass certain security restrictions.
A design error in the CAPTCHA security feature, which relies only on the "sitekey", the User-Agent HTTP header, a random number, and the current date to generate the response code can be exploited to bypass the security feature by replaying any random number and response code pair for the current day.
The weakness has been reported in versions 6.0 through 7.9.
SOLUTION: Do not rely on the CAPTCHA feature to prevent automated logons to PHP-Nuke.
PROVIDED AND/OR DISCOVERED BY: Janek Vind "waraxe"
ORIGINAL ADVISORY: http://www.waraxe.us/advisory-45.html
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200602-0353",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.6,
"vendor": "francisco burzi",
"version": "6.7"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.6,
"vendor": "francisco burzi",
"version": "6.9"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.6,
"vendor": "francisco burzi",
"version": "6.0"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.6,
"vendor": "francisco burzi",
"version": "6.6"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.6,
"vendor": "francisco burzi",
"version": "6.5_rc2"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.6,
"vendor": "francisco burzi",
"version": "6.5_rc3"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.6,
"vendor": "francisco burzi",
"version": "6.5_rc1"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.6,
"vendor": "francisco burzi",
"version": "6.5"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.6,
"vendor": "francisco burzi",
"version": "6.5_beta1"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.6,
"vendor": "francisco burzi",
"version": "6.5_final"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.0,
"vendor": "francisco burzi",
"version": "7.7"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.0,
"vendor": "francisco burzi",
"version": "7.5"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.0,
"vendor": "francisco burzi",
"version": "7.6"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.0,
"vendor": "francisco burzi",
"version": "7.9"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.0,
"vendor": "francisco burzi",
"version": "7.8"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.0,
"vendor": "francisco burzi",
"version": "7.0"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.0,
"vendor": "francisco burzi",
"version": "7.2"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.0,
"vendor": "francisco burzi",
"version": "7.4"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.0,
"vendor": "francisco burzi",
"version": "7.3"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.0,
"vendor": "francisco burzi",
"version": "7.1"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 1.0,
"vendor": "francisco burzi",
"version": "7.0_final"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 0.3,
"vendor": "php nuke",
"version": "7.9"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 0.3,
"vendor": "php nuke",
"version": "7.8"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 0.3,
"vendor": "php nuke",
"version": "7.7"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 0.3,
"vendor": "php nuke",
"version": "7.6"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 0.3,
"vendor": "php nuke",
"version": "7.5"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 0.3,
"vendor": "php nuke",
"version": "7.4"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 0.3,
"vendor": "php nuke",
"version": "7.3"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 0.3,
"vendor": "php nuke",
"version": "7.2"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 0.3,
"vendor": "php nuke",
"version": "7.1"
},
{
"model": "php-nuke",
"scope": "eq",
"trust": 0.3,
"vendor": "php nuke",
"version": "7.0"
}
],
"sources": [
{
"db": "BID",
"id": "16722"
},
{
"db": "CNNVD",
"id": "CNNVD-200602-306"
},
{
"db": "NVD",
"id": "CVE-2006-0805"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Discovered by Janek Vind \"waraxe\".",
"sources": [
{
"db": "BID",
"id": "16722"
},
{
"db": "CNNVD",
"id": "CNNVD-200602-306"
}
],
"trust": 0.9
},
"cve": "CVE-2006-0805",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2006-0805",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.0,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-16913",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2006-0805",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200602-306",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-16913",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-16913"
},
{
"db": "CNNVD",
"id": "CNNVD-200602-306"
},
{
"db": "NVD",
"id": "CVE-2006-0805"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The CAPTCHA functionality in php-Nuke 6.0 through 7.9 uses fixed challenge/response pairs that only vary once per day based on the User Agent (HTTP_USER_AGENT), which allows remote attackers to bypass CAPTCHA controls by fixing the User Agent, performing a valid challenge/response, then replaying that pair in the random_num and gfx_check parameters. The CAPTCHA implementation of PHPNuke may be bypassed by remote attackers due to a design error. \nThis may be used to carry out other attacks such as brute-force attempts against the login page. \n\nTITLE:\nPHP-Nuke CAPTCHA Bypass Weakness\n\nSECUNIA ADVISORY ID:\nSA18936\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/18936/\n\nCRITICAL:\nNot critical\n\nIMPACT:\nSecurity Bypass\n\nWHERE:\n\u003eFrom remote\n\nSOFTWARE:\nPHP-Nuke 7.x\nhttp://secunia.com/product/2385/\nPHP-Nuke 6.x\nhttp://secunia.com/product/329/\n\nDESCRIPTION:\nJanek Vind \"waraxe\" has reported a weakness in PHP-Nuke, which can be\nexploited by malicious people to bypass certain security\nrestrictions. \n\nA design error in the CAPTCHA security feature, which relies only on\nthe \"sitekey\", the User-Agent HTTP header, a random number, and the\ncurrent date to generate the response code can be exploited to bypass\nthe security feature by replaying any random number and response code\npair for the current day. \n\nThe weakness has been reported in versions 6.0 through 7.9. \n\nSOLUTION:\nDo not rely on the CAPTCHA feature to prevent automated logons to\nPHP-Nuke. \n\nPROVIDED AND/OR DISCOVERED BY:\nJanek Vind \"waraxe\"\n\nORIGINAL ADVISORY:\nhttp://www.waraxe.us/advisory-45.html\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2006-0805"
},
{
"db": "BID",
"id": "16722"
},
{
"db": "VULHUB",
"id": "VHN-16913"
},
{
"db": "PACKETSTORM",
"id": "43986"
}
],
"trust": 1.35
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-16913",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-16913"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "16722",
"trust": 2.0
},
{
"db": "SECUNIA",
"id": "18936",
"trust": 1.8
},
{
"db": "NVD",
"id": "CVE-2006-0805",
"trust": 1.7
},
{
"db": "SREASON",
"id": "455",
"trust": 1.7
},
{
"db": "CNNVD",
"id": "CNNVD-200602-306",
"trust": 0.7
},
{
"db": "BUGTRAQ",
"id": "20060218 [WARAXE-2006-SA#045] - BYPASSING CAPTCHA IN PHPNUKE 6.X-7.9",
"trust": 0.6
},
{
"db": "SEEBUG",
"id": "SSVID-80866",
"trust": 0.1
},
{
"db": "EXPLOIT-DB",
"id": "27249",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-16913",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "43986",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-16913"
},
{
"db": "BID",
"id": "16722"
},
{
"db": "PACKETSTORM",
"id": "43986"
},
{
"db": "CNNVD",
"id": "CNNVD-200602-306"
},
{
"db": "NVD",
"id": "CVE-2006-0805"
}
]
},
"id": "VAR-200602-0353",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-16913"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T22:32:30.148000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2006-0805"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "http://www.waraxe.us/advisory-45.html"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/16722"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/18936"
},
{
"trust": 1.7,
"url": "http://securityreason.com/securityalert/455"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/425394/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/425394/100/0/threaded"
},
{
"trust": 0.3,
"url": "http://www.phpnuke.org"
},
{
"trust": 0.3,
"url": "/archive/1/425394"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/18936/"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/329/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/2385/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-16913"
},
{
"db": "BID",
"id": "16722"
},
{
"db": "PACKETSTORM",
"id": "43986"
},
{
"db": "CNNVD",
"id": "CNNVD-200602-306"
},
{
"db": "NVD",
"id": "CVE-2006-0805"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-16913"
},
{
"db": "BID",
"id": "16722"
},
{
"db": "PACKETSTORM",
"id": "43986"
},
{
"db": "CNNVD",
"id": "CNNVD-200602-306"
},
{
"db": "NVD",
"id": "CVE-2006-0805"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2006-02-21T00:00:00",
"db": "VULHUB",
"id": "VHN-16913"
},
{
"date": "2006-02-18T00:00:00",
"db": "BID",
"id": "16722"
},
{
"date": "2006-02-20T20:08:24",
"db": "PACKETSTORM",
"id": "43986"
},
{
"date": "2006-02-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200602-306"
},
{
"date": "2006-02-21T02:02:00",
"db": "NVD",
"id": "CVE-2006-0805"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-18T00:00:00",
"db": "VULHUB",
"id": "VHN-16913"
},
{
"date": "2006-02-21T17:57:00",
"db": "BID",
"id": "16722"
},
{
"date": "2006-02-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200602-306"
},
{
"date": "2024-11-21T00:07:22.877000",
"db": "NVD",
"id": "CVE-2006-0805"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200602-306"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "PHPNuke Security bypass vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200602-306"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Design Error",
"sources": [
{
"db": "BID",
"id": "16722"
},
{
"db": "CNNVD",
"id": "CNNVD-200602-306"
}
],
"trust": 0.9
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…