Re: PHP-Nuke SQL Injection Vulnerability

[Predrag Damnjanovic <bugtraq () zastita co yu>]

David Endler wrote:
> If the attacker's UID is 2, he or she can then launch the attack by
> requesting the following URL:
>
> modules.php?name=Your_Account&op=saveuser&uid=2&bio=%5c&EditedMessage=
> no&pass=xxxxx&vpass=xxxxx&newsletter=,+bio=0,+pass=md5(1)/*
> [...]
>   +--[ bio          = '\',

Well, this is impossible if "magic_quotes_gpc" is ON, because %5c will be 
passed as \\ , not as \ .
Then we have:
bio          = '\\',
and SQL injection is apsoluty impossible.

I really don't know why PHP-Nuke not check magic_quotes.

In my PHP engine first task is checking 'magic_quotes', and if it is OFF, then 
simply turn it ON:
if (get_magic_quotes_gpc()==0) set_magic_quotes_runtime (1);

This line should be at the top of init script of every PHP engine.

P.S. 'magic_quotes' is by default ON on many web-hosting servers, so I think 
that this vulnerability will not affect all sites with PHP nuke.
...except if PHP Nuke explicitly turn magic_quotes off ?!?

Regards,
Predrag Damnjanovic