SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Forum/Board/Portal)  >   PHP-Nuke Vendors:   Phpnuke.org
PHP-Nuke Input Validation Flaw in 'block-Old_Articles.php' Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1017511
SecurityTracker URL:  http://securitytracker.com/id/1017511
CVE Reference:   CVE-2007-0309   (Links to External Site)
Updated:  May 19 2008
Original Entry Date:  Jan 15 2007
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 7.9 and prior versions
Description:   A vulnerability was reported in PHP-Nuke. A remote user can inject SQL commands.

The '/blocks/block-Old_Articles.php' script does not properly validate user-supplied input in the 'cat' parameter. If register_globals is enabled, a remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

Paisterist of [N]eo [S]ecurity [T]eam [NST] discovered this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpnuke.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  13 Jan 2007 09:53:55 -0000
Subject:  PHP-Nuke <= 7.9 Old-Articles Block

/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST] - Advisory 31 - 2007-01-13
--------------------------------------------------------
Program: PHP-Nuke
Homepage: http://www.phpnuke.org
Vulnerable Versions: PHP-Nuke <= 7.9
Risk: Medium
Impact: Medium Risk

-==PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability==-
---------------------------------------------------------

- Description
---------------------------------------------------------
PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of
 his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive
 web site using databases.

- Tested
---------------------------------------------------------
localhost & many sites

- Vulnerability Description
---------------------------------------------------------

In /blocks/block-Old_Articles.php the "cat" variable is not sanitized correctly. Here is the vulnerable code:

==[ /blocks/block-Old_Articles.php 33-40 ]=========================
if ($categories == 1) {
   	$querylang = "where catid='$cat'";
    } else {
	$querylang = "";
	if ($new_topic != 0) {	
	    $querylang = "WHERE topic='$new_topic'";
	}
    }
==[ end /blocks/block-Old_Articles.php 33-40 ]=====================


Note that register_globals must be On, because the "cat" variable is not defined anywhere. Also, the $querylang variable is 
used after to get some database data:

==[ /blocks/block-Old_Articles.php 49 ]=============================
[...]
$result = $db->sql_query("SELECT sid, title, time, comments FROM ".$prefix."_stories $querylang ORDER BY time DESC LIMIT $storynum,
 $oldnum");
[...]
==[ end /blocks/block-Old_Articles.php 49]==========================


Then we have a link that contains the data taken from the database:

==[ /blocks/block-Old_Articles.php 94-97-101]=======================
[...]
$boxstuff .= "<tr><td valign=\"top\"><strong><big>&middot;</big></strong></td><td> <a href=\"modules.php?name=News&amp;file=article&amp;sid=$sid$r_options\">$title</a>
 $comments</td></tr>\n";
==[ end /blocks/block-Old_Articles.php 94-97-101 ]==================


So, in resume, if we set "categories" var to 1 by the GET method and then we set "cat" (also by the GET method) to a malicio
us sql code, we can get easily the admin data with a UNION statement. If you don't how to bypass the PHP-Nuke SQL Protection
 just read this advisory: 
http://www.neosecurityteam.net/advisories/PHP-Nuke--7.9-SQL-Injection-and-Bypass-SQL-Injection-Protection-vulnerabilities-27.html

magic_quotes_gpc php directive must be turned Off so the simple quotes (') are not filtered. Also we have to know the prefix
 used for the database tables ("nuke_" by default).

==Pseudo-Code Proof of Concept exploit==
<?
/*

Neo Security Team - Pseudo-Code Proof of Concept Exploit
PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability

http://www.neosecurityteam.net
Paisterist

*/
set_time_limit(0);
$host="localhost";
$path="/phpnuke/";
$port="80";
$fp = fsockopen($host, $port, $errno, $errstr, 30);

if ($fp) {
    /* we put the GET request on $p variable, with "cid" with the malicious code and "categories" set to 1. */

    fwrite($fp, $p);

    while (!feof($fp)) {
        $content .= fread($fp, 4096);
    }

    preg_match("/([a-z0-9]{32})/", $content, $matches);

    if ($matches[0])
    print "<b>Hash: </b>".$matches[0];
}
?>
==Pseudo-Code Proof of Concept exploit==

Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table.

- How to fix it? More information?
--------------------------------------------------------

You can found a patch on http://www.neosecurityteam.net/foro/

Also, you can modify the source code adding in the /index.php file some like this:

$cat = ($_GET['cat']) ? filter($_GET['cat'], "nohtml") : '';

That's a momentary solution to the problem. I recommend to get the PHP-Nuke 8.0 version.

- References
--------------------------------------------------------
http://www.neosecurityteam.net/advisories/PHP-Nuke--7.9-Old-Articles-Block-cat-SQL-Injection-vulnerability-31.html
http://www.neosecurityteam.net/advisories/PHP-Nuke--7.9-SQL-Injection-and-Bypass-SQL-Injection-Protection-vulnerabilities-27.html


- Credits
--------------------------------------------------------
Old-Articles Block SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] gmail[dot]com

[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/


- Greets
--------------------------------------------------------
HaCkZaTaN, K4P0, Daemon21, Link, 0m3gA_x, NitRic, LINUX, nitrous, m0rpheus, nikyt0x, KingMetal, Knightmare and the NST community.

Latinoamerica EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@

/* EOF */

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC