PHPNukeEV77.txt

2006-01-09T00:00:00
ID PACKETSTORM:42903
Type packetstorm
Reporter Lostmon
Modified 2006-01-09T00:00:00

Description

                                        
                                            `###############################################  
PHPNuke EV 7.7 'search' module 'query' variable SQL injection  
Vendor url: http://nukevolution.com/  
exploit available:yes vendor notify:yes  
advisore:http://lostmon.blogspot.com/2006/01/  
phpnuke-ev-77-search-module-query.html  
################################################  
  
PHPNuke EV 7.7 have a flaw which can be exploited by malicious  
people to conduct SQL injection attacks.  
  
Input passed to the "query" parameter when performing a search isn't  
properly sanitised before being used in a SQL query. This can be  
exploited to manipulate SQL queries by injecting arbitrary SQL code.  
  
#################  
versions:  
################  
  
PHPNuke EV 7.7 -R1  
  
posible prior versions are afected.  
  
##################  
solution:  
###################  
  
No solution at this time!!!  
  
A posible fix:  
  
Open file modules/Search/index.php and after this code:  
------------------------------------  
require_once("mainfile.php");  
$instory = '';  
$module_name = basename(dirname(__FILE__));  
get_lang($module_name);  
----------------------------------------------  
  
you can add this other :  
  
------------------------------------  
  
if(eregi("UNION SELECT",$query) || eregi("UNION%20SELECT",$query)){  
die();  
}  
----------------------------------------------  
this is a "simple fix " only detect UNION SELECT comand and die  
if this is in the query variable... you can write the same code for  
UNION ALL SELECT or other varians of xploit  
  
####################  
Timeline  
####################  
  
discovered:21-11-2005  
vendor notify:29-12-2005 (forums)  
vendor response:-------  
vendor fix:-----  
disclosure:09-01-2006  
  
###################  
example:  
###################  
  
go to  
http://[Victim]/modules.php?name=Search  
  
and write in the search box this proof  
  
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*  
  
all users hashes are available to view..  
  
#################### €nd ########################  
  
Thnx to estrella to be my ligth  
  
  
--  
atentamente:  
Lostmon (lostmon@gmail.com)  
Web-Blog: http://lostmon.blogspot.com/  
--  
La curiosidad es lo que hace mover la mente....  
`