PHP Nuke <= 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PHP Nuke <= 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities
From: programmer@xxxxxxxxxxxxxxx
Date: 17 Apr 2007 12:42:56 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

PHP Nuke <= 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection 
vulnerabilities

________________________
PROGRAM: PHP-Nuke
HOMEPAGE: http://phpnuke.org/
VERSION: All version
BUG: PHP Nuke <= 8.0.0.3.3b Bypass SQL Injection Protection and SQL Injections 
vulnerabilities
AUTHOR: Aleksandar
________________________




Let's look at source code from mainfile.php line 435
__________________________________________

  //Union Tap
  //Copyright Zhen-Xjell 2004 http://nukecops.com
  //Beta 3 Code to prevent UNION SQL Injections
  unset($matches);
  unset($loc);
  if(isset($_SERVER['QUERY_STRING'])) {
    if (preg_match("/([OdWo5NIbpuU4V2iJT0n]{5}) /", 
rawurldecode($loc=$_SERVER['QUERY_STRING']), $matches)) {
      die('Illegal Operation 1');
    }
  }
  if(!isset($admin) OR (isset($admin) AND !is_admin($admin))) {
    $queryString = $_SERVER['QUERY_STRING'];
        if (($_SERVER['PHP_SELF'] != "/index.php") OR !isset($url))
        {
           if (stristr($queryString,'http://')) die('Illegal Operation 2');
        }
    if ((stristr($queryString,'%20union%20')) OR (stristr($queryString,'/*')) 
OR (stristr($queryString,'*/union/*')) OR (stristr($queryString,'c2nyaxb0')) OR 
(stristr($queryString,'+union+'))  OR ((stristr($queryString,'cmd=')) AND 
(!stristr($queryString,'&cmd'))) OR ((stristr($queryString,'exec')) AND 
(!stristr($queryString,'execu'))) OR (stristr($queryString,'concat'))) {
      die('Illegal Operation 3');
    }
  }__________________________________________

So we can se different filters. :)

Let?s start whit a testing:

TEST 1
http://localhost/nuke/?/*
So we will se this message: Illegal Operation 3

TEST 2
http://localhost/nuke/?%2f*

Yeah - we got through :)

TEST 3
http://localhost/?%20UNION%20SELECT
 
Illegal Operation 1

TEST 4
http://localhost:8080/html80/?%2f**/UNION%2f**/SELECT ..

Yeah - we got through :)




PATCH:
__________________________________________

if ((stristr($queryString,'%20union%20')) OR (stristr($queryString,'*%2f*')) OR 
(stristr($queryString,'/*')) OR (stristr($queryString,'*/union/*')) OR 
(stristr($queryString,'c2nyaxb0')) OR (stristr($queryString,'+union+'))  OR 
((stristr($queryString,'cmd=')) AND (!stristr($queryString,'&cmd'))) OR 
((stristr($queryString,'exec')) AND (!stristr($queryString,'execu'))) OR 
(stristr($queryString,'concat'))) {
      die('Illegal Operation');
    }
__________________________________________



Multiple SQL Injection vulnerability in Web_Links, News and Download module



+++++++++++++++++++++++++++

PHP.ini
Magic Quotes = OFF 
Register Global = ON
+++++++++++++++++++++++++++


Now Let's look at source code from Web_Links/index.php:

Vulnerability function

function viewlinkcomments($lid) {
        global $prefix, $db, $admin, $bgcolor2, $module_name, $admin_file;
        include("header.php");
        include("modules/$module_name/l_config.php");
        menu(1);
        $row = $db->sql_fetchrow($db->sql_query("SELECT title FROM 
".$prefix."_links_links WHERE lid='$lid'")); // BUG ---> $lid
              $ttitle = filter($row['title'], "nohtml");
        $lid = intval(trim($lid)); //WTF?<===== lol ??????????????? :):):):):)
        echo "<br>";
...


How to fix:

Add $lid = intval(trim($lid)); before $row = 
$db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links 
WHERE lid='$lid'")); 

___________________________________________
function viewlinkcomments($lid) {
        global $prefix, $db, $admin, $bgcolor2, $module_name, $admin_file;
        include("header.php");
        include("modules/$module_name/l_config.php");
        menu(1);
            $lid = intval(trim($lid)); // FIX
        $row = $db->sql_fetchrow($db->sql_query("SELECT title FROM 
".$prefix."_links_links WHERE lid='$lid'")); 
              $ttitle = filter($row['title'], "nohtml");
        //$lid = intval(trim($lid)); // REMOVE THIS LINE !!!!!!!
        echo "<br>";
...
__________________________________________________

Vulnerability Functions:

function viewlinkcomments($lid) {
function viewlinkeditorial($lid){
function viewlinkcomments($lid){
function ratelink($lid, $user) {

The "$lid" variable isn't filtered, so if we bypass the sql injection 
protection we can execute arbitrary sql commands.

SQL Injection vulnerability in Downloads
Vulnerability Functions:

function viewdownloadeditorial($lid) {
function viewdownloadcomments($lid) {
function ratedownload($lid, $user) {

The "$lid" variable isn't filtered , so if we bypass the sql injection 
protection we can execute arbitrary sql commands.


SQL Injection vulnerability in News
Vulnerability Function:

function rate_complete($sid, $rated=0, $score) {

The "$sid" variable isn't filtered , so if we bypass the sql injection 
protection we can execute arbitrary sql commands.

Best Regards
Aleksandar
Programmer and Web Developer

Follow-Ups:
- Re: PHP Nuke <= 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities
  - From: Paul Laudanski

Prev by Date: Netsprint Toolbar 1.1 arbitrary remote code vulnerability
Next by Date: Remot File Include In Script phphd_downloads
Previous by thread: Re: Netsprint Toolbar 1.1 arbitrary remote code vulnerability
Next by thread: Re: PHP Nuke <= 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities
Index(es):
- Date
- Thread