On 26 Mar 2005, Gerardo Astharot Di Giacomo wrote: > Product: NukeBookmarks .6 > URL: http://nukebookmarks.sourceforge.net/
> 1) Full path disclosure > It's possible to retrieve the full installation URL of the website. In > "marks.php" file, there are some queries to the database. If some parameters > miss or some strange characters are submitted, the functions that get results > from the database will return an error. I can understand how full path disclosure can be an issue, however, in a production environment the PHP settings to display errors ought to be disabled. As such, full path disclosure goes away. > 3) SQL Injection > It's possible to get any content from the database by exploiting a SQL > Injection vulnerability in "marks.php" file. > > This example will get the list of PHPNuke authors and the relative hashes of > the passwords. That is true if the default table names are used. However it would be worth noting that with any web presence that uses a backend database, the prefix ought to be changed to something random and non-default. Does this completely solve the issue, of course not, but it can stop the script kiddy attacks. For more on this: http://unixwiz.net/techtips/sql-injection.html Thanks for the disclosure. -- Sincerely, Paul Laudanski .. Computer Cops, LLC. CastleCops(SM)... http://castlecops.com CC Blog ......... http://blog.castlecops.com Staff Blogs ..... http://busterbunny.castlecops.com Our Vision ...... http://castlecops.com/postt63382.html http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
