TUCoPS :: Web :: PHP :: bt1452.txt

Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!)



----- Original Message -----
From: "Albert Puigsech Galicia" <ripe@7a69ezine.org>
To: <bugtraq@securityfocus.com>
Sent: Monday, May 12, 2003 9:11 AM
Subject: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!)


>
/---------------------------------------------------------------------------
--\
> |                             7 A 6 9 - A d v                          C:
010
>
|---------------------------------------------------------------------------
--|
> |
> |                        [ PHP-Nuke SQL injection ]
> |
>
\---------------------------------------------------------------------------
--/
>                                                                 |
11/05/2003 |
>
\------------/
>
> Data.
> ------
>
>         + Type:         SQL injection.
>
>         + Software:     PHP-Nuke
>
>         + Versions:     6.x (including 6.5) y 5.x
>
>         + Exploit:      Yes
>
>         + Author:        Albert Puigsech Galicia
>
>         + Contact:     ripe@7a69ezine.org
>
>
>
>
>
> Introduction.
> -------------
>
>         PhpNuke is a well known content management system programed
> in PHP by Francisco Bucci, a lot of people use it because it is very
> easy to install and manage.
>
> Description.
> ------------
>
>         Web_Links module, included on PHP-Nuke base package, has multiple
> SQL injection (more than 20). The web user may be able to insert his own
> SQL code in most of the numeric values included in querys, because the
> plugin coder didn't use inverted comas.
>
>
>
>
> Explotation.
> ------------
>
>         If the SQL agent allow us to use an UNION sentence (like MySQL 4
> does) it is possible to extract information about anything inside the
> database, of course this includes passwords, personal data, etc.
Otherwise,
> without UNION posibility we can't access to other SQL tables that web
links
> management, so the only posiblity is to play with hits and votes.
>
>         Some examples:
>
>         [*] On viewlink function:
>
>                 $result = sql_query("select title,parentid from
>                 ".$prefix."_links_categories where cid=$cid", $dbi);
>
>
>
http://victim/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink
&cid=2%20<our_code>
>
>
>         [*] Vim index.php... There are a lot.
>
>
>
>
> Patch.
> -------
>
>         There is no patch for this vulnerability. But is easy to add
inverted
> comas on all numeric values.
>
> Notes.
> ------
>
>         I realy sorprised about PHP-Nuke usage. I can't understand that a
> software with PHP-Nuke's security historial may be used. Lot of
> vulnerabilty have been discovered on this software in last months, and
there
> are more bug. Recomandation for PHP-Nuke users: Migrate!
>
>
> --
> ---------------------------
>   Albert Puigsech Galicia
>
>  http://ripe.7a69ezine.org
> ---------------------------
>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH