PHP-Nuke *cat* Old Articles Block SQL Injection

Posted on Wednesday, January 17, 2007 @ 23:28:52 CET in Security
by Raven

SECUNIA ADVISORY ID: SA23748

VERIFY ADVISORY: http://secunia.com/advisories/23748/

CRITICAL: Moderately critical

IMPACT: Manipulation of data, Exposure of sensitive information product/2385/

DESCRIPTION: Paisterist has discovered a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks.


Input passed to the "cat" parameter through index.php to blocks/block-Old_Articles.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation e.g. allows retrieval of administrator usernames and password hashes, but requires that "register_globals" is enabled, "magic_quotes_gpc" is disabled, and the attacker knows the prefix for the database tables. The vulnerability is confirmed in version 7.9. Other versions may also be affected.

SOLUTION: Edit the source code to ensure that input is properly sanitised. Use another product.

PROVIDED AND/OR DISCOVERED BY: Paisterist

ORIGINAL ADVISORY: http://www.neosecurityteam.net/advisories/PHP-Nuke-7.9-Old-Articles-Block-cat-SQL-Injection-vulnerability-31.html
 
 
click Related        click Share
 
 

Re: PHP-Nuke *cat* Old Articles Block SQL Injection (Score: 1)
by Gremmie on Thursday, January 18, 2007 @ 11:56:53 CET

(User Info | Send a Message)

I looked at the code, and a simple
$cat = intval($cat);
after the global statement should fix that.

However, that begs the question...why does the block rely on some random global variable like $cat? I looked for $cat in mainfile.php and did not find it. I think that block is using several other globals that aren't defined anywhere. Could it be this block is really old and was not updated? Anyway, I didn't understand where $cat was coming from and all that code that uses it should probably get removed. I cannot recall ever seeing anything that allows the Old Articles block to display old articles from a certain category only.

 
 

Re: PHP-Nuke *cat* Old Articles Block SQL Injection (Score: 1)
by oprime2001 on Friday, January 19, 2007 @ 11:49:08 CET

(User Info | Send a Message)

Wouldn't NukeSentinel pick up any attempts to use this vulnerability since phpnuke blocks are required to have been called from index.php which in itself requires mainfile.php which ultimately calls NukeSentinel security procs and the such? Or am I mistaken?

Thanks.

Re: PHP-Nuke *cat* Old Articles Block SQL Injection (Score: 1)
by Gremmie
on Friday, January 19, 2007 @ 14:25:12 CET
(User Info | Send a Message)

Well Sentinel would pick up on things like UNION SQL Injections, etc. But even with Sentinel present you would still want the block to sanitize its inputs. A malicious user could still do weird stuff to your database.

Re: PHP-Nuke *cat* Old Articles Block SQL Injection (Score: 1)
by oprime2001
on Friday, January 19, 2007 @ 15:14:42 CET
(User Info | Send a Message)

No flame intended, but how can you say that NukeSentinel would protect against this vulnerability but "weird stuff" could still happen to the database? How?

Are you saying that NukeSentinel would not catch certain hack attempts using this particular vulnerability?

Re: PHP-Nuke *cat* Old Articles Block SQL Injection (Score: 1)
by Gremmie
on Friday, January 19, 2007 @ 15:20:43 CET
(User Info | Send a Message)

You could still exploit this hole with Sentinel present on your system. Google for SQL injection attacks.

If you tried a UNION SQL injection then Sentinel would catch that. But there are other things a malicious person could do that would be undesireable.

Re: PHP-Nuke *cat* Old Articles Block SQL Injection (Score: 1)
by Gremmie
on Friday, January 19, 2007 @ 15:37:37 CET
(User Info | Send a Message)

Here, I hope this helps you understand what SQL injection is:

SQL Injection Article at Wikipedia [en.wikipedia.org].

In general you don't want to use scripts that don't sanitize input from the user. A lot of the old Nuke code doesn't do this. Sentinel will catch some obvious things but it won't catch all manipulations or probes.

In this particular case, all the block had to do was ensure $cat was a number. But in any event, as I noted in an earlier comment, $cat is apparently no longer a global variable in PHP-Nuke. That code appears to be dead code that should be removed from the block.

Maybe forums better arena for discussion rather than comments (Score: 1)
by oprime2001
on Friday, January 19, 2007 @ 16:14:57 CET
(User Info | Send a Message)

I started this post for further discussion: Protection against all types of SQL injection -- incomplete [ravenphpscripts.com]?

 
News ©

Site Info v2.2.2

Last SeenLast Seen
Server TrafficServer Traffic
  • Total: 372,918,537
  • Today: 65,876
Server InfoServer Info
  • Dec 09, 2018
  • 10:34 pm CET