Re: PHP Nuke <= 7.8 Multiple SQL Injections

From: Matthias Jim Knopf (jim_at_users.de)
Date: 09/16/05

  • Next message: Paul Laudanski: "Re: PHP Nuke <= 7.8 Multiple SQL Injections"
    Date: Fri, 16 Sep 2005 00:44:38 +0200 (MEST)
    To: Paul Laudanski <zx@castlecops.com>
    
    

    What do you gain from that? In what way would you think your advice did
    ANYTHING GOOD?
    You did neither issue a "addslashes()" as appropriate for SQL-commands,
    nor did you explain, why a variable set by a POST or a COOKIE could be
    worse than anything you could give any URL by appending '?name=...' or
    '&name=...' (->GET vars)

    Greetings, Matthias "jim" Knopf

    -- 
    GPG/PGP encrypted mails welcome!
    Windose Milenium Bug
    > > PHP Nuke 7.8 is prone to multiple SQL injection vulnerabilities.
    > > These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
    > > 
    > > In the modules.php
    > > 
    > > $result = $db->sql_query("SELECT active, view FROM ".$prefix."_modules WHERE title='$name'");
    > > 
    > > The $name variable is not checked so you could inject malicious SQL Code. In an file which is included whe have the following code:
    [...]
    > The $name variable and others like $sid are expected via $_GET and not 
    > $_POST.  The proper start to sanitizing the data here is to ensure that 
    > $name is obtained via $_GET and not injected by $_POST, $_COOKIE, or 
    > anything else.
    [...]
    > To be specific, find the modules.php file and check for the first instance 
    > of "$name".  An example:
    > 
    > "if (isset($name)) {"
    > 
    > Prior to that, simply put in such a line:
    > 
    > $name = $_GET['name'];
    

  • Next message: Paul Laudanski: "Re: PHP Nuke <= 7.8 Multiple SQL Injections"

    Relevant Pages