Home page logo

bugtraq logo Bugtraq mailing list archives

Re: PHP Nuke <= 7.8 Multiple SQL Injections
From: Matthias Jim Knopf <jim () users de>
Date: Fri, 16 Sep 2005 00:44:38 +0200 (MEST)

What do you gain from that? In what way would you think your advice did
You did neither issue a "addslashes()" as appropriate for SQL-commands, 
nor did you explain, why a variable set by a POST or a COOKIE could be
worse than anything you could give any URL by appending '?name=...' or
'&name=...' (->GET vars)

Greetings, Matthias "jim" Knopf
GPG/PGP encrypted mails welcome!
Windose Milenium Bug

PHP Nuke 7.8 is prone to multiple SQL injection vulnerabilities.
These issues are due to a failure in the application to properly sanitize user-supplied input before using it in 
SQL queries.

In the modules.php

$result = $db->sql_query("SELECT active, view FROM ".$prefix."_modules WHERE title='$name'");

The $name variable is not checked so you could inject malicious SQL Code. In an file which is included whe have the 
following code:
The $name variable and others like $sid are expected via $_GET and not 
$_POST.  The proper start to sanitizing the data here is to ensure that 
$name is obtained via $_GET and not injected by $_POST, $_COOKIE, or 
anything else.
To be specific, find the modules.php file and check for the first instance 
of "$name".  An example:

"if (isset($name)) {"

Prior to that, simply put in such a line:

$name = $_GET['name'];

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]