lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030920043925.30916.qmail@sf-www2-symnsj.securityfocus.com>
Date: 20 Sep 2003 04:39:25 -0000
From: Lifo Fifo <lifofifo20@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Vulnrability in myPHPnuke 1.8.8




Language : PHP
Script : http://www.myphpnuke.com 1.8.8 
Problem : SQL Injection
Description : myphpnuke is a widely used Content Managemnt System.

Problem :

In auth.inc.php file,

*********************
if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {
if($aid!="" AND $pwd!="") {
$q="select pwd from ".$mpnTables['authors']." where aid='$aid'";
$result=mysql_query("select pwd from ".$mpnTables['authors']." where aid='$aid'");
list($pass)=mysql_fetch_row($result);
if ($pass == $pwd) {
$pwd1 = md5($pwd);
mysql_query("update ".$mpnTables['authors']." set pwd = '$pwd1' where aid='$aid'");
$pass = $pwd1;
} else {
$pwd1 = md5($pwd);
}
if($pass == $pwd1) {
$admin = base64_encode("$aid:$pwd1");
setcookie("admin", "$admin", time()+2592000, "", "", ""); // 1 mo is 2592000
}
}
}
********************

Here the $aid is not checked. If you open the page like,

Therefore you can run the query like,

select pwd from mpn_authors where aid='mad' into outfile '/filepath/file.txt'

when you enter 
aid=mad' into outfile '/filepath/file.txt

This will not work if magic_quotes_gpc is on.

Fix : 

Find the line
**********
if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {
if($aid!="" AND $pwd!="") {
**********

Add

**********
$aid=addslashes($aid);
**********

Credit :
lifofifo & hackingzone.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ