More and More SQL injection on PHP-Nuke 6.5.

From: Albert Puigsech Galicia (ripeat_private)
Date: Tue May 13 2003 - 14:11:48 PDT

  • Next message: David F. Madrid: "[Full-Disclosure] Memory leak in 3COM 812 DSL routers" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

/-----------------------------------------------------------------------------\
|                             7 A 6 9 - A d v                          C: 011 
|-----------------------------------------------------------------------------|
| 
|                        [ PHP-Nuke SQL injection ]                           
|
\-----------------------------------------------------------------------------/
                                                                | 13/05/2003 |
                                                                \------------/

Data.
- ------

        + Tipy:         SQL injection.

        + Software:     PHP-Nuke

        + Verions:     6.x (including 6.5) y 5.x

        + Exploit:      Yes

        + Author:        Albert Puigsech Galicia

        + Contact:     ripeat_private





Introduction.
- -------------

        PhpNuke is a well known content management system programed
in PHP by Francisco Bucci, a lot of people use it because it is very
easy to install and manage.



Descriptión.
- ------------

        The PHP-Nuke's file download module includes SQL injection features 
(as usual). The web user may be able to insert his own SQL code in most of 
the numeric values included in querys, because the plugin coder didn't use 
inverted comas.



Explotation.
- ------------

        If the SQL agent allow us to use an UNION sentence (like MySQL 4
does) it is possible to extract information about anything inside the
database, of course this includes passwords, personal data, etc. Otherwise,
without UNION posibility we can't access to other SQL tables that web links
management, so the only posiblity is to play with hits and votes.

        Some examples:

        [*] On getit function:

- ---
    sql_query("update ".$prefix."_downloads_downloads set hits=hits+1 WHERE 
lid=$lid", $dbi);
        $result = sql_query("SELECT url FROM ".$prefix."_downloads_downloads 
WHERE lid=$lid", $dbi);
- ---

                
http://www.caxa.ru/modules.php?name=Downloads&d_op=getit&lid=2%20>




        [*] On search function:

- ---
    $result = sql_query("SELECT lid, cid, title, url, description, date, hits, 
downloadratingsummary, totalvotes, totalcomments, filesize, version, homepage 
FROM ".$prefix."_downloads_downloads WHERE title LIKE '%$query%' OR 
description LIKE '%$query%' ORDER BY $orderby LIMIT $min,$downloadsresults", 
$dbi);
- ---

                
http://www.caxa.ru/modules.php?name=Downloads&d_op=search&min=2%20>

       
	[*] Vim index.php... There are a lot.



Patch.
- -------

        There is no patch for this vulnerability. But is easy to add inverted
comas on all numeric values.



Notes.
- ------

        I realy sorprised about PHP-Nuke usage. I can't understand that a
software with PHP-Nuke's security historial may be used. Lot of
vulnerabilty have been discovered on this software in last months, and there
are more bug. 

	Recomandation for PHP-Nuke users: Migrate!

	The are a lot of CMS coded with security in mind, slashcode, scoop (writen in 
perl), postnuke, xsphpcms(nice) (wrinten in php).... and more.



- -- 
- ---------------------------
  Albert Puigsech Galicia

 http://ripe.7a69ezine.org
- ---------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+wV+XwLHT7sE3+RsRAlkJAKCHrMxBRz2loJqPi8kGzFOmAAnN3QCeOhY7
rg1SmIxpzeiM6aaCmMxUdWQ=
=DmRV
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Tue May 13 2003 - 14:42:10 PDT