On 12 Sep 2005 r.verton (at) gmail (dot) com [email concealed] wrote:
> Software: PHP Nuke 7.8
> Type: SQL Injections
> Risk: High
>
> PHP Nuke 7.8 is prone to multiple SQL injection vulnerabilities.
> These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
>
> In the modules.php
>
> $result = $db->sql_query("SELECT active, view FROM ".$prefix."_modules WHERE title='$name'");
>
> The $name variable is not checked so you could inject malicious SQL Code. In an file which is included whe have the following code:
>
>
> http://www.example.com/modules.php?name=News&file=article&sid=[SQL] - here the same as above, send this via POST to
> bypass the 'union'-cover
>
> http://www.example.com/modules.php?name=News&file=comments&Reply&pid=[SQ
L]
>
> http://www.example.com/modules.php?name=News&file=comments&op=Reply&pid=
[SQL]
>
> http://www.example.com/modules.php?name=News&file=comments&op=Reply&sid=
[SQL]
The $name variable and others like $sid are expected via $_GET and not
$_POST. The proper start to sanitizing the data here is to ensure that
$name is obtained via $_GET and not injected by $_POST, $_COOKIE, or
anything else.
Since you did two things I'm avidly against:
1) no vendor contact information
2) no suggested patches
I wanted to reply and alert folks who run PHP-Nuke and its forks since
after running a cursory search on some popular PHP-Nuke sites I saw
nothing about this:
http://en.wikipedia.org/wiki/Php-nuke
About the above suggestion.
To be specific, find the modules.php file and check for the first instance
of "$name". An example:
"if (isset($name)) {"
Prior to that, simply put in such a line:
$name = $_GET['name'];
You're forcing the $name variable to be set by the HTTP GET request,
rather than inject a value by a cookie or post ($_COOKIE, $_POST
respectively).
The same applies to the rest of the code for other variables.
--
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops(SM), http://castlecops.com
________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.
> Software: PHP Nuke 7.8
> Type: SQL Injections
> Risk: High
>
> PHP Nuke 7.8 is prone to multiple SQL injection vulnerabilities.
> These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
>
> In the modules.php
>
> $result = $db->sql_query("SELECT active, view FROM ".$prefix."_modules WHERE title='$name'");
>
> The $name variable is not checked so you could inject malicious SQL Code. In an file which is included whe have the following code:
>
>
> http://www.example.com/modules.php?name=News&file=article&sid=[SQL] - here the same as above, send this via POST to
> bypass the 'union'-cover
>
> http://www.example.com/modules.php?name=News&file=comments&Reply&pid=[SQ
L]
>
> http://www.example.com/modules.php?name=News&file=comments&op=Reply&pid=
[SQL]
>
> http://www.example.com/modules.php?name=News&file=comments&op=Reply&sid=
[SQL]
The $name variable and others like $sid are expected via $_GET and not
$_POST. The proper start to sanitizing the data here is to ensure that
$name is obtained via $_GET and not injected by $_POST, $_COOKIE, or
anything else.
Since you did two things I'm avidly against:
1) no vendor contact information
2) no suggested patches
I wanted to reply and alert folks who run PHP-Nuke and its forks since
after running a cursory search on some popular PHP-Nuke sites I saw
nothing about this:
http://en.wikipedia.org/wiki/Php-nuke
About the above suggestion.
To be specific, find the modules.php file and check for the first instance
of "$name". An example:
"if (isset($name)) {"
Prior to that, simply put in such a line:
$name = $_GET['name'];
You're forcing the $name variable to be set by the HTTP GET request,
rather than inject a value by a cookie or post ($_COOKIE, $_POST
respectively).
The same applies to the rest of the code for other variables.
--
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops(SM), http://castlecops.com
________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.
part000.txt - is OK
http://castlecops.com
[ reply ]