| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 27 Sep 2007 13:25:16 -0000
From: come2waraxe@...oo.com
To: bugtraq@...urityfocus.com
Subject: [waraxe-2007-SA#056] - Another Sql Injection in NukeSentinel 2.5.11
[waraxe-2007-SA#056] - Another Sql Injection in NukeSentinel 2.5.11
====================================================================
Author: Janek Vind "waraxe"
Date: 27. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-56.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Developer: http://www.nukescripts.net
NukeSentinel is anti-hacking sofware, used for protection phpnuke
against various security-related attacks.
Vulnerabilities: Critical Sql Injection in "nukesentinel.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Let's look at script "includes/nukesentinel.php" source code:
------------>[source code]<------------
function is_god($axadmin) {
global $db, $prefix, $aname;
$tmpadm = base64_decode($axadmin);
$tmpadm = explode(":", $tmpadm);
$aname = $tmpadm[0];
$apwd = $tmpadm[1];
if(!empty($aname) AND !empty($apwd)) {
$aname = trim($aname);
$apwd = trim($apwd);
$admrow = $db->sql_fetchrow($db->sql_query("SELECT * FROM
`".$prefix."_authors` WHERE `aid`='$aname'"));
------------>[/source code]<-----------
So as seen in code snippet above, data from "base64_decode()" function
is used in sql query without any sanityze.
Now is the question, which part of the code uses this function.
Here is the answer:
------------>[source code]<------------
// AUTHOR Protection
$blocker_row = $blocker_array[5];
if($blocker_row['activate'] > 0) {
if(isset($op) AND ($op=="mod_authors" OR $op=="modifyadmin" OR
$op=="UpdateAuthor" OR $op=="AddAuthor" OR $op=="deladmin2" OR
$op=="deladmin" OR $op=="assignstories" OR $op=="deladminconf")
AND !is_god($_COOKIE['admin'])) {
block_ip($blocker_row);
}
}
}
------------>[/source code]<-----------
It's easy to see, that $_COOKIE['admin'] variable will be used as argument
for "is_god()" function. And we have another critical sql injetion in place.
I have written proof-of-concept blind injection exploit for this specific
case and it's working flawlessly.
Happy news to potential victims - developer has allready patched this security
hole in NukeSentinel with releasing new version - 2.5.12
//-----> See ya soon and have a nice day ;) <-----//
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NukeSentinel's new version 2.5.12 is patched, so download it A.S.A.P.
http://www.nukescripts.net/modules.php?name=Downloads&op=getit&lid=1063
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and anyone else who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@...oo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Geology readings - http://geology.oldreadings.com/
Biography Database - http://www.biosaxe.com/
---------------------------------- [ EOF ] ----------------------------
Powered by blists - more mailing lists