Products: PHPNuke 6.9 > (posibbly 7.x) (http://www.phpnuke.org) Date: 10 February 2004 Author: pokleyzz Contributors: sk_at_scan-associates.net shaharil_at_scan-associates.net munir_at_scan-associates.net URL: http://www.scan-associates.net Summary: PHPNuke 6.9 > and below (posibbly 7.x) SQL Injection in multiple module. Description =========== PHPNuke is most popular content management system written in PHP with SQL database backend. Details ======= There is multiple SQL injection in multiple PHPNuke module which allow attacker to get "admin hash" and gain admin access to PHPNuke Website. 1) SQL Injection in Search module --------------------------------- There is SQL injection in $category variable when performing search in PHPNuke site. This vulnerability have been disclose in "Hack In the Box Security Conference 2003" (http://hackinthebox.org) on (December 12th - 14th 2003). It is proofed to be exploitable in any version of MySQL database. The affected code is on line 168 in in index.php from Search module. 167 if ($category > 0) { 168 $categ = "AND catid=$category "; 169 } elseif ($category == 0) { One of the table which is selected in this "SELECT" query is nuke_authors table. This can be use to determine admin hash by guesting whether certain query is true or false with search result for MySQL 3. Quick Solution -------------- Disable Search Module from Admin control panel. 2) SQL Injection in Web_links module ------------------------------------ Multiple function is vulnerable to SQL injection in $admin variable. This encoded variable is not sanitize after decoded to be use for SQL query. With crafted query user can guest admin hash with the available of "edit" link if the query is success. Proof of concept is provided for this vulnerability. It's required at least one link in Web_Links module for exploitation to be success. Quick Solution -------------- Disable Web_Links Module from Admin control panel. Vendor Response =============== We have try our best to get vendor contact but seem not found any security contact. :-)