BugTraq
Possible bug in PHPNuke and other CMS May 30 2004 02:53PM
Luca Falavigna (fala83 libero it) (3 replies)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is a vulnerability in PHPNuke that permits execution of arbitrary
SQL queries on a database located in the same server of an attacker's
account. This is the procedure: first of all attacker must create a
symlink pointing to victim's db directory in PHPNuke home directory
because of mainfile.php include method. After that he can build a simple
php code executing a query to the PHPNuke database. Here is an example:

<?php
require_once ("/location_of_victim's_PHPNuke/mainfile.php");
$sql = $db->sql_query("SELECT aid,pwd FROM ".$prefix."_authors");
while($record = $db->sql_fetchrow($sql))
~ echo "Username: $record[aid]\n<br>\nPassword: $record[pwd]\n<br><br>\n";
unset($sql);
?>

Queries are executed normally because config.php (which is included by
mainfile.php) provides the information in order to connect to the chosen
database. This is a very easy way to deface PHPNuke-based websites or
adding and removing users, and so on.

This "homemade patch" goes in config.php, just below connection
variables. It checks domain name provided by web server with the one
provided by the user and grants execution of SQL queries only if domain
names match. Here is the code:

$domainname = "www.example.com";
if ($_SERVER['SERVER_NAME'] != $domainname ) {
~ echo "Access denied";
~ die();
}

This vulnerability isn't only for PHPNuke, but also for every CMS that
doesn't check domain names.

Greetings,

Luca Falavigna

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBQLn1V/TtdJayrm9xAQL8jAf+MV1wlF5MJW8nDez3kOoHugvqmb2L2ftG
kwkEfl/zERPfsu651/PM9ocDkm1z+pLJh6kzPusED2GVuZOGY9Gbd5P5dOjGc7qX
OqEzXMRWkX3r2joAzyjKsO24sAc4YNI0FQPPFve9sZqRMdG+vF4VzIoldjiegSVH
d5rLceL/AojrzEakUiBGBUuKJN/k0uG3NzACra3Oa8haMwlTvQmY0VRjSgGArCq2
ohpSlCTZOk4iANYJXHaZE0u+Ep0t4UOCZK9j/jM8rjMdpCynWCkGo/FzcreakHom
FCHAR9m0LJ0UuuPU/1VbamwZ6OlNhdMWau9wIKJGW0bsWnzSwd7llg==
=JnMQ
-----END PGP SIGNATURE-----

[ reply ]
Re: Possible bug in PHPNuke and other CMS Jun 01 2004 09:14AM
Peter Hagstrøm (ph deadcode dk)
Re: [Full-Disclosure] Possible bug in PHPNuke and other CMS Jun 01 2004 07:09AM
Sam Bashton (sam ipsupport co uk)
Re: Possible bug in PHPNuke and other CMS Jun 01 2004 04:50AM
Alexander GQ Gerasiov (bugtaq gq pp ru) (1 replies)
Re: Possible bug in PHPNuke and other CMS Jun 01 2004 05:13PM
Luca Falavigna (fala83 libero it) (1 replies)
Re: Possible bug in PHPNuke and other CMS Jun 04 2004 12:25PM
BlueRaven (blue ravenconsulting it)


 

Privacy Statement
Copyright 2010, SecurityFocus