[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8506.1052778145@www60.gmx.net>
Date: Tue, 13 May 2003 00:22:25 +0200 (MEST)
From: Rynho Zeros Web <hackargentino@....net>
To: bugtraq@...urityfocus.com
Subject: Re: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!)
I have also discovered a Path Disclosure on PHP-Nuke 6.x, and
others?
Exploit:
http://victim.x/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=[any_words]
http://victim.x/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink
If [ any_words ] has a nonnumerical value or a NULL value, this will produce
"path disclosure". In addition to this form, since Ripe has informed, a SQL
Injection can be made.
Patch (this is a temporal patches, but... is running)
In the viewlink function insert the following thing:
------------------------[ CODE ]------------------------
if(!isset($cid) || $cid == NULL || $cid == "" || !is_numeric ($cid))
{
echo "I don't like you >:|";
exit();
}
------------------------[ CODE ]------------------------
------
XyborG
------
Thanks to Verstand & Chiz0
>
/-----------------------------------------------------------------------------\
> | 7 A 6 9 - A d v C:
> 010
>
|-----------------------------------------------------------------------------|
> |
> | [ PHP-Nuke SQL injection ]
> |
>
\-----------------------------------------------------------------------------/
> |
> 11/05/2003 |
>
> \------------/
>
> Data.
> ------
>
> + Type: SQL injection.
>
> + Software: PHP-Nuke
>
> + Versions: 6.x (including 6.5) y 5.x
>
> + Exploit: Yes
>
> + Author: Albert Puigsech Galicia
>
> + Contact: ripe@...9ezine.org
>
>
>
>
>
> Introduction.
> -------------
>
> PhpNuke is a well known content management system programed
> in PHP by Francisco Bucci, a lot of people use it because it is very
> easy to install and manage.
>
> Description.
> ------------
>
> Web_Links module, included on PHP-Nuke base package, has multiple
> SQL injection (more than 20). The web user may be able to insert his own
> SQL code in most of the numeric values included in querys, because the
> plugin coder didn't use inverted comas.
>
>
>
>
> Explotation.
> ------------
>
> If the SQL agent allow us to use an UNION sentence (like MySQL 4
> does) it is possible to extract information about anything inside the
> database, of course this includes passwords, personal data, etc.
> Otherwise,
> without UNION posibility we can't access to other SQL tables that web
> links
> management, so the only posiblity is to play with hits and votes.
>
> Some examples:
>
> [*] On viewlink function:
>
> $result = sql_query("select title,parentid from
> ".$prefix."_links_categories where cid=$cid", $dbi);
>
>
>
http://victim/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=2%20<our_code>
>
>
> [*] Vim index.php... There are a lot.
>
>
>
>
> Patch.
> -------
>
> There is no patch for this vulnerability. But is easy to add
> inverted
> comas on all numeric values.
>
> Notes.
> ------
>
> I realy sorprised about PHP-Nuke usage. I can't understand that a
> software with PHP-Nuke's security historial may be used. Lot of
> vulnerabilty have been discovered on this software in last months, and
> there
> are more bug. Recomandation for PHP-Nuke users: Migrate!
>
>
> --
> ---------------------------
> Albert Puigsech Galicia
>
> http://ripe.7a69ezine.org
> ---------------------------
>
--
XyBØrG
WebMaster de:
www.RZWEB.com.ar
Powered By Dattatec.Com
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
Powered by blists - more mailing lists