PHP-Nuke SQL Filter Bypass and SQL Injection Vulnerabilities

Posted on Saturday, April 21, 2007 @ 02:57:23 PDT in Security
by raven

SECUNIA ADVISORY ID: SA24949

VERIFY ADVISORY: http://secunia.com/advisories/24949/

CRITICAL: Moderately critical

IMPACT: Security Bypass, Manipulation of data, Exposure of sensitive information

WHERE: >From remote

SOFTWARE: PHP-Nuke 7.x - http://secunia.com/product/2385/

DESCRIPTION: Aleksandar has discovered some vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks and to bypass certain security restrictions.

1) The product's SQL injection filter checks for the string "/*" but not for the URL-encoded version "%2f%2a". This can be exploited to bypass the SQL injection filter.

2) Input passed to the "lid" parameter through modules.php to modules/Web_Links/index.php (when "l_op" is set to "viewlinkcomments", "viewlinkeditorial", or "ratelink") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieving administrator password hashes, but requires that "magic_quotes_gpc" is disabled, and that the attacker has knowledge of the database table prefix.

3) Input passed to the "lid" parameter through modules.php to modules/Downloads/index.php (when "d_op" is set to "viewdownloadeditorial", "viewdownloadcomments", or to "ratedownload") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieving administrator password hashes, but requires that "magic_quotes_gpc" is disabled, and that the attacker has knowledge of the database table prefix.

The vulnerabilities are confirmed in version 7.9. Other versions may also be affected.

SOLUTION: Edit the source code to ensure that input is properly sanitised and that the SQL injection filter checks for both normal and URL-encoded versions of dangerous strings.

Set "magic_quotes_gpc" in php.ini to On.

Use another product.

PROVIDED AND/OR DISCOVERED BY:Aleksandar
Note:
Please note that RavenNuke(tm) is not affected by this exploit. We also could not recreate it if your site is protected by NukeSentinel(tm)
 
 
click Related        click Share
 
 

Re: PHP-Nuke SQL Filter Bypass and SQL Injection Vulnerabilities (Score: 1)
by wiz on Saturday, April 21, 2007 @ 12:43:32 PDT

(User Info | Send a Message) http://sasclan.org

Nice note on the end

 
News ©

Site Info v2.2.2

Last SeenLast Seen
Server TrafficServer Traffic
  • Total: 361,917,130
  • Today: 31,360
Server InfoServer Info
  • Jul 19, 2018
  • 06:42 am PDT
 
 

Daily Inspiration