lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 14 Sep 2005 00:43:42 -0400 (EDT)
From: Paul Laudanski <zx@...tlecops.com>
To: r.verton@...il.com
Cc: bugtraq@...urityfocus.com, <bugs@...uritytracker.com>,
	<moderators@...db.org>, <news@...uriteam.com>, <vuln@...unia.com>
Subject: Re: PHP Nuke <= 7.8 Multiple SQL Injections


On 12 Sep 2005 r.verton@...il.com wrote:

> Software: PHP Nuke 7.8
> Type: SQL Injections
> Risk: High
> 
> PHP Nuke 7.8 is prone to multiple SQL injection vulnerabilities.
> These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
> 
> In the modules.php
> 
> $result = $db->sql_query("SELECT active, view FROM ".$prefix."_modules WHERE title='$name'");
> 
> The $name variable is not checked so you could inject malicious SQL Code. In an file which is included whe have the following code:
> 
> 
> http://www.example.com/modules.php?name=News&file=article&sid=[SQL] - here the same as above, send this via POST to
> bypass the 'union'-cover
> 
> http://www.example.com/modules.php?name=News&file=comments&Reply&pid=[SQL]
> 
> http://www.example.com/modules.php?name=News&file=comments&op=Reply&pid=[SQL]
> 
> http://www.example.com/modules.php?name=News&file=comments&op=Reply&sid=[SQL]

The $name variable and others like $sid are expected via $_GET and not 
$_POST.  The proper start to sanitizing the data here is to ensure that 
$name is obtained via $_GET and not injected by $_POST, $_COOKIE, or 
anything else.

Since you did two things I'm avidly against:

1) no vendor contact information
2) no suggested patches

I wanted to reply and alert folks who run PHP-Nuke and its forks since 
after running a cursory search on some popular PHP-Nuke sites I saw 
nothing about this:

http://en.wikipedia.org/wiki/Php-nuke

About the above suggestion.

To be specific, find the modules.php file and check for the first instance 
of "$name".  An example:

"if (isset($name)) {"

Prior to that, simply put in such a line:

$name = $_GET['name'];

You're forcing the $name variable to be set by the HTTP GET request, 
rather than inject a value by a cookie or post ($_COOKIE, $_POST 
respectively).

The same applies to the rest of the code for other variables.

-- 
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops(SM), http://castlecops.com


________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.

  part000.txt - is OK
http://castlecops.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ