Vulnrability in myPHPnuke 1.8.8

2003-09-22T00:00:00
ID SECURITYVULNS:DOC:5138
Type securityvulns
Reporter Securityvulns
Modified 2003-09-22T00:00:00

Description

Language : PHP Script : http://www.myphpnuke.com 1.8.8 Problem : SQL Injection Description : myphpnuke is a widely used Content Managemnt System.

Problem :

In auth.inc.php file,


if ((isset($aid)) && (isset($pwd)) && ($op == "login")) { if($aid!="" AND $pwd!="") { $q="select pwd from ".$mpnTables['authors']." where aid='$aid'"; $result=mysql_query("select pwd from ".$mpnTables['authors']." where aid='$aid'"); list($pass)=mysql_fetch_row($result); if ($pass == $pwd) { $pwd1 = md5($pwd); mysql_query("update ".$mpnTables['authors']." set pwd = '$pwd1' where aid='$aid'"); $pass = $pwd1; } else { $pwd1 = md5($pwd); } if($pass == $pwd1) { $admin = base64_encode("$aid:$pwd1"); setcookie("admin", "$admin", time()+2592000, "", "", ""); // 1 mo is 2592000 } } }


Here the $aid is not checked. If you open the page like,

Therefore you can run the query like,

select pwd from mpn_authors where aid='mad' into outfile '/filepath/file.txt'

when you enter aid=mad' into outfile '/filepath/file.txt

This will not work if magic_quotes_gpc is on.

Fix :

Find the line


if ((isset($aid)) && (isset($pwd)) && ($op == "login")) { if($aid!="" AND $pwd!="") {


Add


$aid=addslashes($aid);


Credit : lifofifo & hackingzone.org