PhpNuke is a well known content management system programed
in PHP by Francisco Bucci, a lot of people use it because it is very
easy to install and manage.
Description.
------------
Web_Links module, included on PHP-Nuke base package, has multiple
SQL injection (more than 20). The web user may be able to insert his own
SQL code in most of the numeric values included in querys, because the
plugin coder didn't use inverted comas.
Explotation.
------------
If the SQL agent allow us to use an UNION sentence (like MySQL 4
does) it is possible to extract information about anything inside the
database, of course this includes passwords, personal data, etc. Otherwise,
without UNION posibility we can't access to other SQL tables that web links
management, so the only posiblity is to play with hits and votes.
Some examples:
[*] On viewlink function:
$result = sql_query("select title,parentid from
".$prefix."_links_categories where cid=$cid", $dbi);
There is no patch for this vulnerability. But is easy to add inverted
comas on all numeric values.
Notes.
------
I realy sorprised about PHP-Nuke usage. I can't understand that a
software with PHP-Nuke's security historial may be used. Lot of
vulnerabilty have been discovered on this software in last months, and there
are more bug. Recomandation for PHP-Nuke users: Migrate!
--
---------------------------
Albert Puigsech Galicia
------| 7 A 6 9 - A d v C: 010
|-----------------------------------------------------------------------
------|
|
| [ PHP-Nuke SQL injection ]
|
\-----------------------------------------------------------------------
------/
| 11/05/2003 |
\------------/
Data.
------
+ Type: SQL injection.
+ Software: PHP-Nuke
+ Versions: 6.x (including 6.5) y 5.x
+ Exploit: Yes
+ Author: Albert Puigsech Galicia
+ Contact: ripe (at) 7a69ezine (dot) org [email concealed]
Introduction.
-------------
PhpNuke is a well known content management system programed
in PHP by Francisco Bucci, a lot of people use it because it is very
easy to install and manage.
Description.
------------
Web_Links module, included on PHP-Nuke base package, has multiple
SQL injection (more than 20). The web user may be able to insert his own
SQL code in most of the numeric values included in querys, because the
plugin coder didn't use inverted comas.
Explotation.
------------
If the SQL agent allow us to use an UNION sentence (like MySQL 4
does) it is possible to extract information about anything inside the
database, of course this includes passwords, personal data, etc. Otherwise,
without UNION posibility we can't access to other SQL tables that web links
management, so the only posiblity is to play with hits and votes.
Some examples:
[*] On viewlink function:
$result = sql_query("select title,parentid from
".$prefix."_links_categories where cid=$cid", $dbi);
http://victim/modules.php?op=modload&name=Web_Links&file=index&l_op=view
link&cid=2%20<our_code>
[*] Vim index.php... There are a lot.
Patch.
-------
There is no patch for this vulnerability. But is easy to add inverted
comas on all numeric values.
Notes.
------
I realy sorprised about PHP-Nuke usage. I can't understand that a
software with PHP-Nuke's security historial may be used. Lot of
vulnerabilty have been discovered on this software in last months, and there
are more bug. Recomandation for PHP-Nuke users: Migrate!
--
---------------------------
Albert Puigsech Galicia
http://ripe.7a69ezine.org
---------------------------
[ reply ]