TUCoPS :: Web :: PHP :: bt1450.txt

Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!) 



----- Original Message -----
From: "People Logic Software" <peoplelogic@pinc.com>
To: <tommy@tnet.net>
Sent: Monday, May 12, 2003 10:19 AM
Subject: Fw: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!)


>
> ----- Original Message -----
> From: "Albert Puigsech Galicia" <ripe@7a69ezine.org>
> To: <bugtraq@securityfocus.com>
> Sent: Monday, May 12, 2003 10:11 AM
> Subject: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!)
>
>
> >
>
/---------------------------------------------------------------------------
> --\
> > |                             7 A 6 9 - A d v
C:
> 010
> >
>
|---------------------------------------------------------------------------
> --|
> > |
> > |                        [ PHP-Nuke SQL injection ]
> > |
> >
>
\---------------------------------------------------------------------------
> --/
> >                                                                 |
> 11/05/2003 |
> >
> \------------/
> >
> > Data.
> > ------
> >
> >         + Type:         SQL injection.
> >
> >         + Software:     PHP-Nuke
> >
> >         + Versions:     6.x (including 6.5) y 5.x
> >
> >         + Exploit:      Yes
> >
> >         + Author:        Albert Puigsech Galicia
> >
> >         + Contact:     ripe@7a69ezine.org
> >
> >
> >
> >
> >
> > Introduction.
> > -------------
> >
> >         PhpNuke is a well known content management system programed
> > in PHP by Francisco Bucci, a lot of people use it because it is very
> > easy to install and manage.
> >
> > Description.
> > ------------
> >
> >         Web_Links module, included on PHP-Nuke base package, has
multiple
> > SQL injection (more than 20). The web user may be able to insert his own
> > SQL code in most of the numeric values included in querys, because the
> > plugin coder didn't use inverted comas.
> >
> >
> >
> >
> > Explotation.
> > ------------
> >
> >         If the SQL agent allow us to use an UNION sentence (like MySQL 4
> > does) it is possible to extract information about anything inside the
> > database, of course this includes passwords, personal data, etc.
> Otherwise,
> > without UNION posibility we can't access to other SQL tables that web
> links
> > management, so the only posiblity is to play with hits and votes.
> >
> >         Some examples:
> >
> >         [*] On viewlink function:
> >
> >                 $result = sql_query("select title,parentid from
> >                 ".$prefix."_links_categories where cid=$cid", $dbi);
> >
> >
> >
>
http://victim/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink
> &cid=2%20<our_code>
> >
> >
> >         [*] Vim index.php... There are a lot.
> >
> >
> >
> >
> > Patch.
> > -------
> >
> >         There is no patch for this vulnerability. But is easy to add
> inverted
> > comas on all numeric values.
> >
> > Notes.
> > ------
> >
> >         I realy sorprised about PHP-Nuke usage. I can't understand that
a
> > software with PHP-Nuke's security historial may be used. Lot of
> > vulnerabilty have been discovered on this software in last months, and
> there
> > are more bug. Recomandation for PHP-Nuke users: Migrate!
> >
> >
> > --
> > ---------------------------
> >   Albert Puigsech Galicia
> >
> >  http://ripe.7a69ezine.org
> > ---------------------------
> >
>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH