lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0d4d6ca304d5574dc94e0189e0d380d7.hackers@hackers.ir>
Date: Sun, 04 Feb 2007 20:35:37 +0330
From: "Omid" <omid@...kers.ir>
To: <bugtraq@...urityfocus.com>
Subject: Sql injection bugs in PHP-Nuke

Hi,

These bugs were published in full-disclosure about 2 weeks ago (CVE-2007-0372).

There are 5 sql injections in PHP-Nuke 7.9 (and maybe other versions including
version 8) :

Three of them exist in 'advertising', 'weblinks' and 'reviews' sections, which
can be dangerous and are not discribed here .
Two others are in admin section :

The 'active' parameter has been passed to "module_status()" function without
proper checking :

File /admin/modules/modules.php, Line 281 :
** 		module_status($mid, $active);

And in "module_status()" function :

File /admin/modules/modules.php, Line 173 :
** 		$db->sql_query("update " . $prefix . "_modules set active='$active' where mid='$mid'");


Also the 'ad_class', 'imageurl', 'clickurl', 'ad_code' and 'position' parameters
are not checked properly :

File modules/Advertising/admin/index.php, Line 1131 :
** 		BannersAdd($name, $cid, $adname, $imptotal, $imageurl, $clickurl, $alttext, $position, $active, $ad_class, $ad_code, $ad_width, $ad_height);

And in "BannersAdd()" function :

File modules/Advertising/admin/index.php, Line 351 :
** 		$db->sql_query("insert into " . $prefix . "_banner values (NULL, '$cid', '$adname', '$imptotal', '1', '0', '$imageurl', '$clickurl', '$alttext', now(), '00-00-0000 00:00:00', '$position', '$active', '$ad_class', '$ad_code', '$ad_width', '$ad_height')");

The author told me he will fix the bugs for the next version (8.1) .

The original advisory (in Persian) is located at :
http://www.hackers.ir/advisories/festival.txt


- Omid

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ