David Endler wrote: > If the attacker's UID is 2, he or she can then launch the attack by > requesting the following URL: > > modules.php?name=Your_Account&op=saveuser&uid=2&bio=%5c&EditedMessage= > no&pass=xxxxx&vpass=xxxxx&newsletter=,+bio=0,+pass=md5(1)/* > [...] > +--[ bio = '\',
Well, this is impossible if "magic_quotes_gpc" is ON, because %5c will be passed as \\ , not as \ . Then we have: bio = '\\', and SQL injection is apsoluty impossible. I really don't know why PHP-Nuke not check magic_quotes. In my PHP engine first task is checking 'magic_quotes', and if it is OFF, then simply turn it ON: if (get_magic_quotes_gpc()==0) set_magic_quotes_runtime (1); This line should be at the top of init script of every PHP engine. P.S. 'magic_quotes' is by default ON on many web-hosting servers, so I think that this vulnerability will not affect all sites with PHP nuke. ...except if PHP Nuke explicitly turn magic_quotes off ?!? Regards, Predrag Damnjanovic
