SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   PHP-Nuke Vendors:   Phpnuke.org
PHP-Nuke Input Validation Flaw in News Module in 'sid' Parameter Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1017282
SecurityTracker URL:  http://securitytracker.com/id/1017282
CVE Reference:   CVE-2006-6200   (Links to External Site)
Updated:  May 27 2008
Original Entry Date:  Nov 24 2006
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 7.9 and prior versions
Description:   A vulnerability was reported in PHP-Nuke. A remote user can inject SQL commands.

The news module ('/modules/News/index.php') does not properly validate user-supplied input in the 'sid' parameter. If magic_quotes_gpc is disabled, a remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

Paisterist of [N]eo [S]ecurity [T]eam [NST] discovered this vulnerability.

The original advisory is available at:

http://www.neosecurityteam.net/index.php?action=advisories&id=30

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpnuke.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  PHP-Nuke <= 7.9 News module

/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST] - Advisory 30 - 2006-11-24
--------------------------------------------------------
Program: PHP-Nuke
Homepage: http://www.phpnuke.org
Vulnerable Versions: PHP-Nuke <= 7.9
Risk: Medium
Impact: Medium Risk

-==PHP-Nuke <= 7.9 News module "sid" SQL Injection vulnerabilities==-
---------------------------------------------------------

- Description
---------------------------------------------------------
PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of
 his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive
 web site using databases.

- Tested
---------------------------------------------------------
localhost & many sites

- Vulnerability Description
---------------------------------------------------------

In /modules/News/index.php the "sid" variable is not sanitized correctly. Here is the vulnerable code:

==[ /modules/News/index.php 140-142 ]=============================
[...]
OpenTable();
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_stories WHERE sid='$sid'"));
$row[title] = filter($row[title], "nohtml");
[...]
==[ end /modules/News/index.php ]=================================

That code is in the rate_article() function. The same bug is present at the rate_complete() function in the same file:

==[ /modules/News/index.php 245-246 ]=============================
[...]
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_stories WHERE sid='$sid'"));
$row[title] = filter($row[title], "nohtml");
==[ end /modules/News/index.php ]=================================

magic_quotes_gpc php directive must be turned Off so the simple quotes (') are not filtered. Also we have to know the prefix
 used for the database tables ("nuke_" by default).

In this way, bypassing the SQL Injection Protection, like using someone like 'UNION/**/' and not ' UNION ' in our sql injections,
 we can get the admin md5 hash by sending a malicious GET request.

==Pseudo-Code Proof of Concept exploit==
<?
/*

Neo Security Team - Pseudo-Code Proof of Concept Exploit
http://www.neosecurityteam.net
Paisterist

*/
set_time_limit(0);
$host="localhost";
$path="/phpnuke/";
$port="80";
$fp = fsockopen($host, $port, $errno, $errstr, 30);

if ($fp) {
    /* we put the GET request on $p variable, with "sid" containing. */

    fwrite($fp, $p);

    while (!feof($fp)) {
        $content .= fread($fp, 4096);
    }

    preg_match("/([a-z0-9]{32})/", $content, $matches);

    if ($matches[0])
    print "<b>Hash: </b>".$matches[0];
}
?>
==Pseudo-Code Proof of Concept exploit==

Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table.

- How to fix it? More information?
--------------------------------------------------------

You can found a patch on http://www.neosecurityteam.net/foro/

Also, you can modify add in the /index.php file some like this:

$sid = ($_GET['sid']) ? intval($_GET['sid']) : intval($_POST['sid']);

That's a momentary solution to the problem. I recommend to download the PHP-Nuke 8.0 version in the next days... it is not 
free at the moment.

- References
--------------------------------------------------------
http://www.neosecurityteam.net/index.php?action=advisories&id=30

- Credits
--------------------------------------------------------
News module SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] gmail[dot]com

[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/


- Greets
--------------------------------------------------------
HaCkZaTaN
K4P0
Daemon21
Link
0m3gA_x
NitRic
LINUX
nitrous
m0rpheus
nikyt0x
KingMetal
Knightmare

Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@

/* EOF */

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC