Re: NukeSentinel Bypass SQL Injection & Nuke Evolution <= 2.0.3 SQL Injections

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: NukeSentinel Bypass SQL Injection & Nuke Evolution <= 2.0.3 SQL Injections
From: technocrat@xxxxxxxxxxxxxxxxxx
Date: 7 May 2007 18:53:22 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Perhaps you did not report this to me first (or at all) because if you had I 
would have told you how these do not work and how you were wrong.  Which I 
guess would mean that you could not post this.  It is the only explanation I 
can come up with.

There is no excuse for not contacting an author before posting one of these.  I 
am totally accessible though numerous channels of contact on the Evolution 
site.  Please contact me first next time.

Now to point out the mistakes you made in this post.

With the exception of News/read_article.php all of the lines have been fixed or 
removed since of v2.0.0 Final.  That said <= v2.0.0 Final is no longer 
available from us and we have told everyone to upgrade to it since late last 
year.  It (<= v2.0.0) was completely depreciated on Feb 28th of this year.  
Even so the security features protects the older site from having any of these 
work.  Hence why I will not fix any of these but the read_article.

But in effort to be fair (even though you were not) I will go over each point 
you have made.

Bug 1 (the sentinel bypass) will not work, and has not worked in any version of 
Evo.  If you look at the st_clean_string function in that file you will see 
"%2f" gets changed to "%20" in any lines before it is checked for UNION or 
CLIKE.  

Testing your example in all versions of Evo resulted in a block from sentinel 
and no data getting passed back.  Even the live headers do not show a valid 
hack.

If you were to disable Sentinel, it still doesn't work.  If you look in the db 
layer you will see each query gets checked for a UNION before being executed.  
If a UNION is found it is broken up.  So again your exploit does not work.

If you disable both sentinel and the db layer security, only then will any of 
the examples you gave will work.  In order to do this you have to manually 
remove the sentinel include and the union checking function in the db layer.

Your_Account/index.php - Has been fixed since v2.0.0 RC2 (which is also 
deprecated) by:
$username = Fix_Quotes($_REQUEST['username']);

News/read_article.php - Your only semi valid point and will be fixed in the 
next release.  Though as stated before is not exploitable unless both layers of 
security have been manually removed.

Donate/index.php - This module was completely removed in v2.0.0 RC1 (which is 
also deprecated).

Please feel free to contact me if you feel that I am wrong or have any other 
information.

Prev by Date: PHPHtmlLib <= 2.4.0 Remote File Include Exploit
Next by Date: iDefense Security Advisory 05.07.07: Sun Microsystems Solaris ACE_SETACL Integer Signedness DoS Vulnerability
Previous by thread: NukeSentinel Bypass SQL Injection & Nuke Evolution <= 2.0.3 SQL Injections
Next by thread: Advisory: XSS Vulnerability in Oracle Secure Enterprise Search [SES01]
Index(es):
- Date
- Thread