phpnukeSQL.txt

phpnukeSQL.txt: Posted Feb 10, 2004; Authored by Pokleyzz; PHPNuke versions greater than 6.9 are susceptible to SQL injection attacks that allow a remote attacker to get an administrator's hash to achieve to administrator access.; tags | advisory, remote, sql injection; SHA-256 | 196be36424aa5fc3b4254f4bdc25f86db3c950d389530996b6ecc6b6df1a2e7e; Download | Favorite | View

phpnukeSQL.txt

Products: PHPNuke 6.9 > (posibbly 7.x) (http://www.phpnuke.org)
Date: 10 February 2004
Author:  pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net
    shaharil_at_scan-associates.net
    munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary: PHPNuke 6.9 > and below (posibbly 7.x) SQL Injection in multiple 
module.

Description
===========
PHPNuke is most popular content management system written in PHP with SQL 
database
backend.

Details
=======
There is multiple SQL injection in multiple PHPNuke module which allow 
attacker
to get "admin hash" and gain admin access to PHPNuke Website.

1) SQL Injection in Search module
---------------------------------
There is SQL injection in $category variable when performing search in 
PHPNuke site.
This vulnerability have been disclose in "Hack In the Box Security 
Conference 2003"
(http://hackinthebox.org) on  (December 12th - 14th 2003). It is proofed 
to be
exploitable in any version of MySQL database. The affected code is on line 
168 in
in index.php from Search module.

167    if ($category > 0) {
168        $categ = "AND catid=$category ";
169    } elseif ($category == 0) {

One of the table which is selected in this "SELECT" query is nuke_authors 
table. This can
be use to determine admin hash by guesting whether certain query is true 
or false with search result for MySQL 3.

Quick Solution
--------------
Disable Search Module from Admin control panel.

2) SQL Injection in Web_links module
------------------------------------
Multiple function is vulnerable to SQL injection in $admin variable. This 
encoded variable
is not sanitize after decoded to be use for SQL query. With crafted query 
user can guest
admin hash with the available of "edit" link if the query is success. 
Proof of concept is
provided for this vulnerability. It's required at least one link in 
Web_Links module for
exploitation to be success.

Quick Solution
--------------
Disable Web_Links Module from Admin control panel.


Vendor Response
===============
We have try our best to get vendor contact but seem not found any security 
contact. :-)

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

phpnukeSQL.txt

phpnukeSQL.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

phpnukeSQL.txt

Share This

phpnukeSQL.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems