PHP-Nuke <= 7.9 Journal module (search.php) "forwhat" SQL Injection vulnerability

2006.11.07
Credit: Paisterist
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

/* -------------------------------------------------------- [N]eo [S]ecurity [T]eam [NST] - Advisory 29 - 2006-10-31 -------------------------------------------------------- Program: PHP-Nuke Homepage: http://www.php.net Vulnerable Versions: PHP-Nuke <= 7.9 Risk: Medium Impact: Medium Risk -==PHP-Nuke <= 7.9 Journal module (search.php) "forwhat" SQL Injection vulnerability==- --------------------------------------------------------- - Description --------------------------------------------------------- PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases. - Tested --------------------------------------------------------- localhost & many sites - Vulnerability Description --------------------------------------------------------- In /modules/Journal/search.php the "forwhat" variable is not sanitized correctly. Here is the vulnerable code: ==[ /modules/Journal/search.php 125-136 ]========================== [...] if ($bywhat == 'aid'): if ($exact == '1') { $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.aid='$forwhat' order by j.jid DESC"; } else { $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.aid like '%$forwhat%' order by j.jid DESC"; } elseif ($bywhat == 'title'): $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.title like '%$forwhat%' order by j.jid DESC"; elseif ($bywhat == 'bodytext'): $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.bodytext LIKE '%$forwhat%' order by j.jid DESC"; elseif ($bywhat == 'comment'): $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u, ".$user_prefix."_journal_comments c WHERE u.username=j.aid and c.rid=j.jid and c.comment LIKE '%$forwhat%' order by j.jid DESC"; endif; [...] ==[ end /modules/Journal/search.php ]============================== magic_quotes_gpc php directive must be turned Off so the simple quotes (') are not filtered. Also we have to know the prefix used for the database tables ("nuke_" by default). In this way, bypassing the SQL Injection Protection, like using someone like '/**/UNION ' and not ' UNION ' in our sql injections, we can get the admin md5 hash without any problems. ==Pseudo-Code Proof of Concept exploit== <? /* Neo Security Team - Pseudo-Code Proof of Concept Exploit http://www.neosecurityteam.net Paisterist */ set_time_limit(0); $host="localhost"; $path="/phpnuke/"; $port="80"; $fp = fsockopen($host, $port, $errno, $errstr, 30); $data=""; /* Here the variables, like "bywhat" and "forwhat", with the SQL Injection */ if ($fp) { /* we put the POST request on $p variable, sending the data saved on $data. */ fwrite($fp, $p); while (!feof($fp)) { $content .= fread($fp, 4096); } preg_match("/([a-zA-Z0-9]{32})/", $content, $matches); if ($matches[0]) print "<b>Hash: </b>".$matches[0]; } ?> ==Pseudo-Code Proof of Concept exploit== Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table. - How to fix it? More information? -------------------------------------------------------- You can found a patch on http://www.neosecurityteam.net/foro/ Also, you can modify the line 61 of /modules/Journal/search.php, adding slashes before the simple quotes with the addslashes() function: ==[ /modules/Search/index.php 59-62 ]========================== [...] else : $forwhat = filter($forwhat, "nohtml"); $forwhat = addslashes(filter($forwhat, "nohtml")); endif; [...] ==[ end /modules/Search/index.php ]============================== That's a momentary solution to the problem. I recommend to download the PHP-Nuke 8.0 version in the next days... it is not free at the moment. - References -------------------------------------------------------- http://www.neosecurityteam.net/index.php?action=advisories&id=29 - Credits -------------------------------------------------------- Search module SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] gmail[dot]com [N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/ - Greets -------------------------------------------------------- HaCkZaTaN K4P0 Daemon21 Link 0m3gA_x LINUX nitrous m0rpheus nikyt0x KingMetal Knightmare Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!! @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@ @@@'''''@@@ '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@ /* EOF */


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top