|
----- Original Message ----- From: "People Logic Software" <peoplelogic@pinc.com> To: <tommy@tnet.net> Sent: Monday, May 12, 2003 10:19 AM Subject: Fw: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!) > > ----- Original Message ----- > From: "Albert Puigsech Galicia" <ripe@7a69ezine.org> > To: <bugtraq@securityfocus.com> > Sent: Monday, May 12, 2003 10:11 AM > Subject: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!) > > > > > /--------------------------------------------------------------------------- > --\ > > | 7 A 6 9 - A d v C: > 010 > > > |--------------------------------------------------------------------------- > --| > > | > > | [ PHP-Nuke SQL injection ] > > | > > > \--------------------------------------------------------------------------- > --/ > > | > 11/05/2003 | > > > \------------/ > > > > Data. > > ------ > > > > + Type: SQL injection. > > > > + Software: PHP-Nuke > > > > + Versions: 6.x (including 6.5) y 5.x > > > > + Exploit: Yes > > > > + Author: Albert Puigsech Galicia > > > > + Contact: ripe@7a69ezine.org > > > > > > > > > > > > Introduction. > > ------------- > > > > PhpNuke is a well known content management system programed > > in PHP by Francisco Bucci, a lot of people use it because it is very > > easy to install and manage. > > > > Description. > > ------------ > > > > Web_Links module, included on PHP-Nuke base package, has multiple > > SQL injection (more than 20). The web user may be able to insert his own > > SQL code in most of the numeric values included in querys, because the > > plugin coder didn't use inverted comas. > > > > > > > > > > Explotation. > > ------------ > > > > If the SQL agent allow us to use an UNION sentence (like MySQL 4 > > does) it is possible to extract information about anything inside the > > database, of course this includes passwords, personal data, etc. > Otherwise, > > without UNION posibility we can't access to other SQL tables that web > links > > management, so the only posiblity is to play with hits and votes. > > > > Some examples: > > > > [*] On viewlink function: > > > > $result = sql_query("select title,parentid from > > ".$prefix."_links_categories where cid=$cid", $dbi); > > > > > > > http://victim/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink > &cid=2%20<our_code> > > > > > > [*] Vim index.php... There are a lot. > > > > > > > > > > Patch. > > ------- > > > > There is no patch for this vulnerability. But is easy to add > inverted > > comas on all numeric values. > > > > Notes. > > ------ > > > > I realy sorprised about PHP-Nuke usage. I can't understand that a > > software with PHP-Nuke's security historial may be used. Lot of > > vulnerabilty have been discovered on this software in last months, and > there > > are more bug. Recomandation for PHP-Nuke users: Migrate! > > > > > > -- > > --------------------------- > > Albert Puigsech Galicia > > > > http://ripe.7a69ezine.org > > --------------------------- > > >