Re: NukeSentinel Bypass SQL Injection & Nuke Evolution <= 2.0.3 SQL Injections

[technocrat () nuke-evolution com]

Perhaps you did not report this to me first (or at all) because if you had I would have told you how these do not work 
and how you were wrong.  Which I guess would mean that you could not post this.  It is the only explanation I can come 
up with.

There is no excuse for not contacting an author before posting one of these.  I am totally accessible though numerous 
channels of contact on the Evolution site.  Please contact me first next time.

Now to point out the mistakes you made in this post.

With the exception of News/read_article.php all of the lines have been fixed or removed since of v2.0.0 Final.  That 
said <= v2.0.0 Final is no longer available from us and we have told everyone to upgrade to it since late last year.  
It (<= v2.0.0) was completely depreciated on Feb 28th of this year.  Even so the security features protects the older 
site from having any of these work.  Hence why I will not fix any of these but the read_article.

But in effort to be fair (even though you were not) I will go over each point you have made.

Bug 1 (the sentinel bypass) will not work, and has not worked in any version of Evo.  If you look at the 
st_clean_string function in that file you will see "%2f" gets changed to "%20" in any lines before it is checked for 
UNION or CLIKE.  

Testing your example in all versions of Evo resulted in a block from sentinel and no data getting passed back.  Even 
the live headers do not show a valid hack.

If you were to disable Sentinel, it still doesn't work.  If you look in the db layer you will see each query gets 
checked for a UNION before being executed.  If a UNION is found it is broken up.  So again your exploit does not work.

If you disable both sentinel and the db layer security, only then will any of the examples you gave will work.  In 
order to do this you have to manually remove the sentinel include and the union checking function in the db layer.

Your_Account/index.php - Has been fixed since v2.0.0 RC2 (which is also deprecated) by:
$username = Fix_Quotes($_REQUEST['username']);

News/read_article.php - Your only semi valid point and will be fixed in the next release.  Though as stated before is 
not exploitable unless both layers of security have been manually removed.

Donate/index.php - This module was completely removed in v2.0.0 RC1 (which is also deprecated).

Please feel free to contact me if you feel that I am wrong or have any other information.