Date: Thu, 27 Sep 2007 20:01:10 +0200
From: Bugsman <bugsman@...ero.it>
To: bugtraq@...urityfocus.com
Subject: Re: [waraxe-2007-SA#056] - Another Sql Injection in NukeSentinel
 2.5.11

Funny enough, the unsafe code in nukesentinel.php is very very similar 
to unsafe code I found 4 years ago in php-nuke (for details: 
http://www.securityfocus.com/archive/1/323425 ), leading to a similar 
sql injection. Back from the past? Does the good old "learn from past 
errors" got so out-of-fashion? :)

Bugsman aka Gufino2


come2waraxe@...oo.com ha scritto:
> [waraxe-2007-SA#056] - Another Sql Injection in NukeSentinel 2.5.11
> ====================================================================
>
> Author: Janek Vind "waraxe"
> Date: 27. September 2007
> Location: Estonia, Tartu
> Web: http://www.waraxe.us/advisory-56.html
>
>
> Target software description:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Developer: http://www.nukescripts.net
>
> NukeSentinel is anti-hacking sofware, used for protection phpnuke
> against various security-related attacks. 
>
> Vulnerabilities: Critical Sql Injection in "nukesentinel.php"
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Let's look at script "includes/nukesentinel.php" source code:
>
> ------------>[source code]<------------
>
> function is_god($axadmin) {
>   global $db, $prefix, $aname;
>   $tmpadm = base64_decode($axadmin);
>   $tmpadm = explode(":", $tmpadm);
>   $aname = $tmpadm[0];
>   $apwd = $tmpadm[1];
>   if(!empty($aname) AND !empty($apwd)) {
>     $aname = trim($aname);
>     $apwd = trim($apwd);
>     $admrow = $db->sql_fetchrow($db->sql_query("SELECT * FROM
>  `".$prefix."_authors` WHERE `aid`='$aname'"));
>
> ------------>[/source code]<-----------
>
> So as seen in code snippet above, data from "base64_decode()" function
> is used in sql query without any sanityze.
> Now is the question, which part of the code uses this function.
> Here is the answer:
>
> ------------>[source code]<------------
>
> // AUTHOR Protection
> $blocker_row = $blocker_array[5];
> if($blocker_row['activate'] > 0) {
>   if(isset($op) AND ($op=="mod_authors" OR $op=="modifyadmin" OR
>  $op=="UpdateAuthor" OR $op=="AddAuthor" OR $op=="deladmin2" OR 
> $op=="deladmin" OR $op=="assignstories" OR $op=="deladminconf")
>  AND !is_god($_COOKIE['admin'])) {
>     block_ip($blocker_row);
>   }
> }
> }
>
> ------------>[/source code]<-----------
>
> It's easy to see, that $_COOKIE['admin'] variable will be used as argument
> for "is_god()" function. And we have another critical sql injetion in place.
> I have written proof-of-concept blind injection exploit for this specific
> case and it's working flawlessly.
> Happy news to potential victims - developer has allready patched this security
> hole in NukeSentinel with releasing new version - 2.5.12
>
> //-----> See ya soon and have a nice day ;) <-----//
>
> How to fix:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> NukeSentinel's new version 2.5.12 is patched, so download it A.S.A.P.
>
> http://www.nukescripts.net/modules.php?name=Downloads&op=getit&lid=1063
>
>
> Greetings:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
> and anyone else who know me!
> Greetings to Raido Kerna.
> Tervitusi Torufoorumi rahvale!
>
> Contact:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> come2waraxe@...oo.com
> Janek Vind "waraxe"
>
> Homepage: http://www.waraxe.us/
>
>
> Shameless advertise:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Geology readings - http://geology.oldreadings.com/
> Biography Database - http://www.biosaxe.com/
>
> ---------------------------------- [ EOF ] ----------------------------
>
>
>   

Powered by blists - more mailing lists