Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!)
From: Rynho Zeros Web <hackargentino () gmx net>
Date: Tue, 13 May 2003 00:22:25 +0200 (MEST)

I have also discovered a Path Disclosure on PHP-Nuke 6.x, and
others?

Exploit:

http://victim.x/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=[any_words]
http://victim.x/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink

If [ any_words ] has a nonnumerical value or a NULL value, this will produce
"path disclosure".  In addition to this form, since Ripe has informed, a SQL
Injection can be made.

Patch (this is a temporal patches, but... is running)
In the viewlink function insert the following thing:

------------------------[ CODE ]------------------------

if(!isset($cid) || $cid == NULL || $cid == "" || !is_numeric ($cid))
{
    echo "I don't like you >:|";
    exit();
}

------------------------[ CODE ]------------------------

------
XyborG
------

Thanks to Verstand & Chiz0



/-----------------------------------------------------------------------------\
|                             7 A 6 9 - A d v                          C:
010

|-----------------------------------------------------------------------------|
|
|                        [ PHP-Nuke SQL injection ]
|

\-----------------------------------------------------------------------------/
                                                                |
11/05/2003 |
                                                               
\------------/

Data.
------

        + Type:         SQL injection.

        + Software:     PHP-Nuke

        + Versions:     6.x (including 6.5) y 5.x

        + Exploit:      Yes

        + Author:        Albert Puigsech Galicia

        + Contact:     ripe () 7a69ezine org





Introduction.
-------------

        PhpNuke is a well known content management system programed
in PHP by Francisco Bucci, a lot of people use it because it is very
easy to install and manage.

Description.
------------

        Web_Links module, included on PHP-Nuke base package, has multiple
SQL injection (more than 20). The web user may be able to insert his own
SQL code in most of the numeric values included in querys, because the
plugin coder didn't use inverted comas.




Explotation.
------------

        If the SQL agent allow us to use an UNION sentence (like MySQL 4
does) it is possible to extract information about anything inside the
database, of course this includes passwords, personal data, etc.
Otherwise,
without UNION posibility we can't access to other SQL tables that web
links
management, so the only posiblity is to play with hits and votes.

        Some examples:

        [*] On viewlink function:

                $result = sql_query("select title,parentid from
                ".$prefix."_links_categories where cid=$cid", $dbi);



http://victim/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=2%20<our_code>


        [*] Vim index.php... There are a lot.




Patch.
-------

        There is no patch for this vulnerability. But is easy to add
inverted
comas on all numeric values.

Notes.
------

        I realy sorprised about PHP-Nuke usage. I can't understand that a
software with PHP-Nuke's security historial may be used. Lot of
vulnerabilty have been discovered on this software in last months, and
there
are more bug. Recomandation for PHP-Nuke users: Migrate!


--
---------------------------
  Albert Puigsech Galicia

 http://ripe.7a69ezine.org
---------------------------


-- 
XyBØrG
WebMaster de:
www.RZWEB.com.ar
Powered By Dattatec.Com

+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]