PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability

2007.01.19
Credit: Paisterist
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2007-0309
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

/* -------------------------------------------------------- [N]eo [S]ecurity [T]eam [NST] - Advisory 31 - 2007-01-13 -------------------------------------------------------- Program: PHP-Nuke Homepage: http://www.phpnuke.org Vulnerable Versions: PHP-Nuke <= 7.9 Risk: Medium Impact: Medium Risk -==PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability==- --------------------------------------------------------- - Description --------------------------------------------------------- PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases. - Tested --------------------------------------------------------- localhost & many sites - Vulnerability Description --------------------------------------------------------- In /blocks/block-Old_Articles.php the "cat" variable is not sanitized correctly. Here is the vulnerable code: ==[ /blocks/block-Old_Articles.php 33-40 ]========================= if ($categories == 1) { $querylang = "where catid='$cat'"; } else { $querylang = ""; if ($new_topic != 0) { $querylang = "WHERE topic='$new_topic'"; } } ==[ end /blocks/block-Old_Articles.php 33-40 ]===================== Note that register_globals must be On, because the "cat" variable is not defined anywhere. Also, the $querylang variable is used after to get some database data: ==[ /blocks/block-Old_Articles.php 49 ]============================= [...] $result = $db->sql_query("SELECT sid, title, time, comments FROM ".$prefix."_stories $querylang ORDER BY time DESC LIMIT $storynum, $oldnum"); [...] ==[ end /blocks/block-Old_Articles.php 49]========================== Then we have a link that contains the data taken from the database: ==[ /blocks/block-Old_Articles.php 94-97-101]======================= [...] $boxstuff .= "<tr><td valign="top"><strong><big>&#183;</big></strong></td><td> <a href="modules.php?name=News&file=article&sid=$sid$r_options">$ title</a> $comments</td></tr>n"; ==[ end /blocks/block-Old_Articles.php 94-97-101 ]================== So, in resume, if we set "categories" var to 1 by the GET method and then we set "cat" (also by the GET method) to a malicio us sql code, we can get easily the admin data with a UNION statement. If you don't how to bypass the PHP-Nuke SQL Protection just read this advisory: http://www.neosecurityteam.net/advisories/PHP-Nuke--7.9-SQL-Injection-an d-Bypass-SQL-Injection-Protection-vulnerabilities-27.html magic_quotes_gpc php directive must be turned Off so the simple quotes (') are not filtered. Also we have to know the prefix used for the database tables ("nuke_" by default). ==Pseudo-Code Proof of Concept exploit== <? /* Neo Security Team - Pseudo-Code Proof of Concept Exploit PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability http://www.neosecurityteam.net Paisterist */ set_time_limit(0); $host="localhost"; $path="/phpnuke/"; $port="80"; $fp = fsockopen($host, $port, $errno, $errstr, 30); if ($fp) { /* we put the GET request on $p variable, with "cid" with the malicious code and "categories" set to 1. */ fwrite($fp, $p); while (!feof($fp)) { $content .= fread($fp, 4096); } preg_match("/([a-z0-9]{32})/", $content, $matches); if ($matches[0]) print "<b>Hash: </b>".$matches[0]; } ?> ==Pseudo-Code Proof of Concept exploit== Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table. - How to fix it? More information? -------------------------------------------------------- You can found a patch on http://www.neosecurityteam.net/foro/ Also, you can modify the source code adding in the /index.php file some like this: $cat = ($_GET['cat']) ? filter($_GET['cat'], "nohtml") : ''; That's a momentary solution to the problem. I recommend to get the PHP-Nuke 8.0 version. - References -------------------------------------------------------- http://www.neosecurityteam.net/advisories/PHP-Nuke--7.9-Old-Articles-Blo ck-cat-SQL-Injection-vulnerability-31.html http://www.neosecurityteam.net/advisories/PHP-Nuke--7.9-SQL-Injection-an d-Bypass-SQL-Injection-Protection-vulnerabilities-27.html - Credits -------------------------------------------------------- Old-Articles Block SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] gmail[dot]com [N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/ - Greets -------------------------------------------------------- HaCkZaTaN, K4P0, Daemon21, Link, 0m3gA_x, NitRic, LINUX, nitrous, m0rpheus, nikyt0x, KingMetal, Knightmare and the NST community. Latinoamerica EXISTS!! @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@ @@@'''''@@@ '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@ /* EOF */


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top