lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8506.1052778145@www60.gmx.net>
Date: Tue, 13 May 2003 00:22:25 +0200 (MEST)
From: Rynho Zeros Web <hackargentino@....net>
To: bugtraq@...urityfocus.com
Subject: Re: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!)


I have also discovered a Path Disclosure on PHP-Nuke 6.x, and
others?

Exploit:

http://victim.x/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=[any_words]
http://victim.x/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink

If [ any_words ] has a nonnumerical value or a NULL value, this will produce
"path disclosure".  In addition to this form, since Ripe has informed, a SQL
Injection can be made.

Patch (this is a temporal patches, but... is running)
In the viewlink function insert the following thing:

------------------------[ CODE ]------------------------

if(!isset($cid) || $cid == NULL || $cid == "" || !is_numeric ($cid))
{
    echo "I don't like you >:|";
    exit();
}

------------------------[ CODE ]------------------------

------
XyborG
------

Thanks to Verstand & Chiz0


>
/-----------------------------------------------------------------------------\
> |                             7 A 6 9 - A d v                          C:
> 010
>
|-----------------------------------------------------------------------------|
> |
> |                        [ PHP-Nuke SQL injection ]
> |
>
\-----------------------------------------------------------------------------/
>                                                                 |
> 11/05/2003 |
>                                                                
> \------------/
> 
> Data.
> ------
> 
>         + Type:         SQL injection.
> 
>         + Software:     PHP-Nuke
> 
>         + Versions:     6.x (including 6.5) y 5.x
> 
>         + Exploit:      Yes
> 
>         + Author:        Albert Puigsech Galicia
> 
>         + Contact:     ripe@...9ezine.org
> 
> 
> 
> 
> 
> Introduction.
> -------------
> 
>         PhpNuke is a well known content management system programed
> in PHP by Francisco Bucci, a lot of people use it because it is very
> easy to install and manage.
> 
> Description.
> ------------
> 
>         Web_Links module, included on PHP-Nuke base package, has multiple
> SQL injection (more than 20). The web user may be able to insert his own
> SQL code in most of the numeric values included in querys, because the
> plugin coder didn't use inverted comas.
> 
> 
> 
> 
> Explotation.
> ------------
> 
>         If the SQL agent allow us to use an UNION sentence (like MySQL 4
> does) it is possible to extract information about anything inside the
> database, of course this includes passwords, personal data, etc.
> Otherwise,
> without UNION posibility we can't access to other SQL tables that web
> links
> management, so the only posiblity is to play with hits and votes.
> 
>         Some examples:
> 
>         [*] On viewlink function:
> 
>                 $result = sql_query("select title,parentid from
>                 ".$prefix."_links_categories where cid=$cid", $dbi);
> 
> 
>
http://victim/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=2%20<our_code>
> 
> 
>         [*] Vim index.php... There are a lot.
> 
> 
> 
> 
> Patch.
> -------
> 
>         There is no patch for this vulnerability. But is easy to add
> inverted
> comas on all numeric values.
> 
> Notes.
> ------
> 
>         I realy sorprised about PHP-Nuke usage. I can't understand that a
> software with PHP-Nuke's security historial may be used. Lot of
> vulnerabilty have been discovered on this software in last months, and
> there
> are more bug. Recomandation for PHP-Nuke users: Migrate!
> 
> 
> --
> ---------------------------
>   Albert Puigsech Galicia
> 
>  http://ripe.7a69ezine.org
> ---------------------------
> 

-- 
XyBØrG
WebMaster de:
www.RZWEB.com.ar
Powered By Dattatec.Com

+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ