lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: pokleyzz at (pokley)
Subject: PHPNuke 6.9 > and below SQL Injection in multiple module.

[SCAN Associates Sdn Bhd Security Advisory]

Products: PHPNuke 6.9 > (posibbly 7.x) (
Date: 10 February 2004
Author:  pokleyzz <>

Summary: PHPNuke 6.9 > and below (posibbly 7.x) SQL Injection in multiple 

PHPNuke is most popular content management system written in PHP with SQL 

There is multiple SQL injection in multiple PHPNuke module which allow 
to get "admin hash" and gain admin access to PHPNuke Website.

1) SQL Injection in Search module
There is SQL injection in $category variable when performing search in 
PHPNuke site.
This vulnerability have been disclose in "Hack In the Box Security 
Conference 2003"
( on  (December 12th - 14th 2003). It is proofed 
to be
exploitable in any version of MySQL database. The affected code is on line 
168 in
in index.php from Search module.

167		if ($category > 0) {
168		    $categ = "AND catid=$category ";
169		} elseif ($category == 0) {

One of the table which is selected in this "SELECT" query is nuke_authors 
table. This can
be use to determine admin hash by guesting whether certain query is true 
or false with search result for MySQL 3.

Quick Solution
Disable Search Module from Admin control panel.

2) SQL Injection in Web_links module
Multiple function is vulnerable to SQL injection in $admin variable. This 
encoded variable
is not sanitize after decoded to be use for SQL query. With crafted query 
user can guest
admin hash with the available of "edit" link if the query is success. 
Proof of concept is
provided for this vulnerability. It's required at least one link in 
Web_Links module for
exploitation to be success.

Quick Solution
Disable Web_Links Module from Admin control panel.

Vendor Response
We have try our best to get vendor contact but seem not found any security 
contact. :-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: The_First_Cut_Is_The Deepest.php
Type: application/octet-stream
Size: 3326 bytes
Desc: not available
Url :

Powered by blists - more mailing lists