Saw this on bugtraq today. Does this affect our PHP site? ----- Forwarded message from Pedro Inacio <[EMAIL PROTECTED]> -----
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Delivered-To: mailing list [EMAIL PROTECTED] Delivered-To: moderator for [EMAIL PROTECTED] Date: 25 Sep 2002 17:25:46 -0000 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: Pedro Inacio To: [EMAIL PROTECTED] Subject: PHP-Nuke x.x SQL Injection Hello, All PHP-Nuke versions, including the just released 6.0, are vulnerable to a very simple SQL injection that may lead to a basic DoS attack. For instance, if you create a short script, to send a few requests, (I have tested with just 6) similar to this: http://www.nukesite.com/modules.php?name=News&file=article&sid=1234%20or% 201=1 after a real short time the load of the machine is so high that it will become inacessible. When the script is stopped, the server will take a few minutes to recover from the load and become acessible again. Well, the number of requests depends on your MySQL parameters and hardware, but in general all the tested php-nuke sites where vulnerable and become inacessible. If you are running PHP-Nuke, I suggest the creation of some filters to avoid this kind of attack. Other things can be made, but I will not talk about them now. I will wait until Francisco fix them. Francisco was noticed a month ago, but the problems persist. Maybe he is busy reading the new revision of the "Building Secure Web Applications and Web Services" OWASP document. :] Cheers, Pedro Inacio ----- End forwarded message ----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
