Bugtraq mailing list archives
Re: PHP Nuke <= 7.8 Multiple SQL Injections
From: Paul Laudanski <zx () castlecops com>
Date: Wed, 14 Sep 2005 00:43:42 -0400 (EDT)
On 12 Sep 2005 r.verton () gmail com wrote:
Software: PHP Nuke 7.8
Type: SQL Injections
Risk: High
PHP Nuke 7.8 is prone to multiple SQL injection vulnerabilities.
These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL
queries.
In the modules.php
$result = $db->sql_query("SELECT active, view FROM ".$prefix."_modules WHERE title='$name'");
The $name variable is not checked so you could inject malicious SQL Code. In an file which is included whe have the
following code:
http://www.example.com/modules.php?name=News&file=article&sid=[SQL] - here the same as above, send this via POST to
bypass the 'union'-cover
http://www.example.com/modules.php?name=News&file=comments&Reply&pid=[SQL]
http://www.example.com/modules.php?name=News&file=comments&op=Reply&pid=[SQL]
http://www.example.com/modules.php?name=News&file=comments&op=Reply&sid=[SQL]
The $name variable and others like $sid are expected via $_GET and not $_POST. The proper start to sanitizing the data here is to ensure that $name is obtained via $_GET and not injected by $_POST, $_COOKIE, or anything else. Since you did two things I'm avidly against: 1) no vendor contact information 2) no suggested patches I wanted to reply and alert folks who run PHP-Nuke and its forks since after running a cursory search on some popular PHP-Nuke sites I saw nothing about this: http://en.wikipedia.org/wiki/Php-nuke About the above suggestion. To be specific, find the modules.php file and check for the first instance of "$name". An example: "if (isset($name)) {" Prior to that, simply put in such a line: $name = $_GET['name']; You're forcing the $name variable to be set by the HTTP GET request, rather than inject a value by a cookie or post ($_COOKIE, $_POST respectively). The same applies to the rest of the code for other variables. -- Paul Laudanski, Microsoft MVP Windows-Security CastleCops(SM), http://castlecops.com ________ Information from Computer Cops, L.L.C. ________ This message was checked by NOD32 Antivirus System for Linux Mail Server. part000.txt - is OK http://castlecops.com
Current thread:
- PHP Nuke <= 7.8 Multiple SQL Injections r . verton (Sep 12)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Paul Laudanski (Sep 15)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Matthias Jim Knopf (Sep 16)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Paul Laudanski (Sep 16)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Daniel Bonekeeper (Sep 19)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Paul Laudanski (Sep 19)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections hans (Sep 19)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Matthias Jim Knopf (Sep 16)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Paul Laudanski (Sep 15)
- <Possible follow-ups>
- Re: PHP Nuke <= 7.8 Multiple SQL Injections evaders99 (Sep 15)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Paul Laudanski (Sep 16)