Re: ZH2005-03SA -- multiple vulnerabilities in NukeBookmarks .6

To: Gerardo Astharot Di Giacomo <astharot@xxxxxxxxxx>
Subject: Re: ZH2005-03SA -- multiple vulnerabilities in NukeBookmarks .6
From: Paul Laudanski <zx@xxxxxxxxxxxxxx>
Date: Sat, 26 Mar 2005 13:33:25 -0500 (EST)
Cc: bugs@xxxxxxxxxxxxxxxxxxx, <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <moderators@xxxxxxxxx>, <news@xxxxxxxxxxxxxx>, <vuln@xxxxxxxxxxx>, <vulnwatch@xxxxxxxxxxxxx>
In-reply-to: <20050326171748.27132.qmail@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

On 26 Mar 2005, Gerardo Astharot Di Giacomo wrote:
> Product: NukeBookmarks .6
> URL: http://nukebookmarks.sourceforge.net/

> 1) Full path disclosure
> It's possible to retrieve the full installation URL of the website. In 
> "marks.php" file, there are some queries to the database. If some parameters 
> miss or some strange characters are submitted, the functions that get results 
> from the database will return an error.

I can understand how full path disclosure can be an issue, however, in a 
production environment the PHP settings to display errors ought to be 
disabled.  As such, full path disclosure goes away.

> 3) SQL Injection
> It's possible to get any content from the database by exploiting a SQL 
> Injection vulnerability in "marks.php" file.
> 
> This example will get the list of PHPNuke authors and the relative hashes of 
> the passwords.

That is true if the default table names are used.  However it would be 
worth noting that with any web presence that uses a backend database, the 
prefix ought to be changed to something random and non-default.

Does this completely solve the issue, of course not, but it can stop the 
script kiddy attacks.  For more on this:

http://unixwiz.net/techtips/sql-injection.html

Thanks for the disclosure.

-- 
Sincerely,

Paul Laudanski .. Computer Cops, LLC.
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html

http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com

References:
- ZH2005-03SA -- multiple vulnerabilities in NukeBookmarks .6
  - From: Gerardo Astharot Di Giacomo

Prev by Date: Buffer-overflow in Tincat 2 minor than 2.0.28 (Sacred, Settlers 5 and others)
Next by Date: Multiple sql injection, and xss vulnerabilities in Vladersoft Shopping Cart v.3.0
Previous by thread: ZH2005-03SA -- multiple vulnerabilities in NukeBookmarks .6
Next by thread: AS/400 LDAP user accounts disclosure
Index(es):
- Date
- Thread