BugTraq
Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!) May 12 2003 05:11PM
Albert Puigsech Galicia (ripe 7a69ezine org) (1 replies)
Re: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!) May 12 2003 10:22PM
Rynho Zeros Web (hackargentino gmx net) (1 replies)
I have also discovered a Path Disclosure on PHP-Nuke 6.x, and
others?

Exploit:

http://victim.x/modules.php?op=modload&name=Web_Links&file=index&l_op=vi
ewlink&cid=[any_words]
http://victim.x/modules.php?op=modload&name=Web_Links&file=index&l_op=vi
ewlink

If [ any_words ] has a nonnumerical value or a NULL value, this will produce
"path disclosure". In addition to this form, since Ripe has informed, a SQL
Injection can be made.

Patch (this is a temporal patches, but... is running)
In the viewlink function insert the following thing:

------------------------[ CODE ]------------------------

if(!isset($cid) || $cid == NULL || $cid == "" || !is_numeric ($cid))
{
echo "I don't like you >:|";
exit();
}

------------------------[ CODE ]------------------------

------
XyborG
------

Thanks to Verstand & Chiz0

>
/-----------------------------------------------------------------------
------> | 7 A 6 9 - A d v C:
> 010
>
|-----------------------------------------------------------------------
------|
> |
> | [ PHP-Nuke SQL injection ]
> |
>
\-----------------------------------------------------------------------
------/
> |
> 11/05/2003 |
>
> \------------/
>
> Data.
> ------
>
> + Type: SQL injection.
>
> + Software: PHP-Nuke
>
> + Versions: 6.x (including 6.5) y 5.x
>
> + Exploit: Yes
>
> + Author: Albert Puigsech Galicia
>
> + Contact: ripe (at) 7a69ezine (dot) org [email concealed]
>
>
>
>
>
> Introduction.
> -------------
>
> PhpNuke is a well known content management system programed
> in PHP by Francisco Bucci, a lot of people use it because it is very
> easy to install and manage.
>
> Description.
> ------------
>
> Web_Links module, included on PHP-Nuke base package, has multiple
> SQL injection (more than 20). The web user may be able to insert his own
> SQL code in most of the numeric values included in querys, because the
> plugin coder didn't use inverted comas.
>
>
>
>
> Explotation.
> ------------
>
> If the SQL agent allow us to use an UNION sentence (like MySQL 4
> does) it is possible to extract information about anything inside the
> database, of course this includes passwords, personal data, etc.
> Otherwise,
> without UNION posibility we can't access to other SQL tables that web
> links
> management, so the only posiblity is to play with hits and votes.
>
> Some examples:
>
> [*] On viewlink function:
>
> $result = sql_query("select title,parentid from
> ".$prefix."_links_categories where cid=$cid", $dbi);
>
>
>
http://victim/modules.php?op=modload&name=Web_Links&file=index&l_op=view
link&cid=2%20<our_code>
>
>
> [*] Vim index.php... There are a lot.
>
>
>
>
> Patch.
> -------
>
> There is no patch for this vulnerability. But is easy to add
> inverted
> comas on all numeric values.
>
> Notes.
> ------
>
> I realy sorprised about PHP-Nuke usage. I can't understand that a
> software with PHP-Nuke's security historial may be used. Lot of
> vulnerabilty have been discovered on this software in last months, and
> there
> are more bug. Recomandation for PHP-Nuke users: Migrate!
>
>
> --
> ---------------------------
> Albert Puigsech Galicia
>
> http://ripe.7a69ezine.org
> ---------------------------
>

--
XyBØrG
WebMaster de:
www.RZWEB.com.ar
Powered By Dattatec.Com

+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

[ reply ]
Re[2]: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!) May 14 2003 12:57PM
Benjamin Schulz (lists hnc cc)


 

Privacy Statement
Copyright 2010, SecurityFocus