Re: [Full-disclosure] Critical SQL Injection PHPNuke

[Kevin Wilcox]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

DaRk14 wrote:
> pls .. i want a script who creates an admin account in php-nuke site`s
> ... www.site.com/admin.php 
> exemple...understand ? pls if you know what i speak, and have that
> script in your PC, plss mail`me :) thx

I think you've missed an essential. It's one thing to disclose product
vulnerabilities for the greater good of the community. It's an entirely
different thing to go searching for cracks to gain unauthorized access
to a system.

kw
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFErnJv7XWNuvsOTiYRAkVGAKCgZ+1wv/hVDmt1ebQZtJK4d7MV0ACg1h2U
LHJdL7T77rESctIaO+msap4=
=AsJF
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Critical SQL Injection PHPNuke

[DaRk14]

pls .. i want a script who creates an admin account in php-nuke site`s ... www.site.com/admin.php exemple...understand ? pls if you know what i speak, and have that script in your PC, plss mail`me :) thx
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Critical SQL Injection PHPNuke <= 7.8 - Your_Account module

[SecurityReason - sp3x]

-BEGIN PGP SIGNED MESSAGE-Hash: SHA1
 
SecurityAlert SA032 Author: sp3xCVE : 
CVE-2006-0679Date: 16. February 2006 Affected software 
:=== PHPNuke version : 7.8 with all security 
fixes/patches Not Affected software 
:=== PHPNuke version : 7.9 + patch 
3.1 Description :=PHP-Nuke is a Web Portal 
System, storytelling software, News system, online community or whatever you 
want to call it. The goal of PHP-Nuke is to have an automated web site to 
distribute news and articles with users system. Each user can submit comments to 
discuss the articles, just similar to Slashdot and many others. Main features 
include: web based admin, surveys, top page, access stats page with counter, 
user customizable box, themes manager for registered users, friendly 
administration GUI with graphic topic manager, option to edit or delete stories, 
option to delete comments, moderation system, Referers page to know who link us, 
sections manager, customizable HTML blocks, user and authors edit, an integrated 
Banners Ads system, search engine, backend/headlines generation (RSS/RDF 
format), and many, many more friendly functions. PHP-Nuke is written 100% in PHP 
and requires Apache Web server, PHP and a SQL (MySQL, mSQL, PostgreSQL, ODBC, 
ODBC_Adabas, Sybase or Interbase). Support for 25 languages, Yahoo like search 
engine, Comments option in Polls, lot of themes, Ephemerids manager, File 
Manager, Headlines, download manager, faq manager, advanced blocks systems, 
reviews system, newsletter, categorized articles, multilanguage content 
management, phpBB Forums included and a lot more. 
 
Vulnerabilities :* Critical 
SQL injection   :== IN module 
called "Your_Account" there exists  SQL Injection bug, which can lead to 
stealing admin`s username and password md5 and also some sensitive data from 
database. 
 
The problem exist in index.php so first let's see the source 
code of this file. Original code from index.php :- 
-...function confirmNewUser($username, 
$user_email, $user_password, $user_password2, $random_num, $gfx_check) 
{ global $stop, $EditedMessage, $sitename, $module_name, 
$minpass; include("header.php"); include("config.php"); filter_text($username); $username 
= $EditedMessage; $user_viewemail = "0"; userCheck($username, 
$user_email); $user_email = validate_mail($user_email);- 
--- Here we can see that there is 
filter_text() used on $query variable and later we have userCheck($username, 
$user_email); ,Ok lets see function filter_text(); .Orginal code from 
mainfile.php :- --function 
filter_text($Message, $strip="") { global 
$EditedMessage; check_words($Message); $EditedMessage=check_html($EditedMessage, 
$strip); return $EditedMessage;}- 
---Here we have another function 
check_words($Message); , lets check this also : Orginal code from 
mainfile.php :- function check_html 
($str, $strip="") { /* The core of this code has been lifted from 
phpslash */ /* which is licenced under the GPL. 
*/ include("config.php"); if ($strip == 
"nohtml") global $AllowableHTML; 
 if (!is_array($AllowableHTML)) $AllowableHTML 
=array(''); $str = stripslashes($str); $str = 
eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>",'<\\1>', 
$str); // Delete all spaces from html tags . $str = 
eregi_replace("]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^\" 
>]*)[[:space:]]*\"?[^>]*>",''">\\1">', 
$str); // Delete all attribs from Anchor, except an href, double 
quoted. $str = eregi_replace("<[[:space:]]* 
img[[:space:]]*([^>]*)[[:space:]]*>", '', $str); // Delete all 
img tags $str = 
eregi_replace("]*href[[:space:]]*=[[:space:]]*\"?_javascript_[[:punct:]]*\"?[^>]*>", 
'', $str); // Delete _javascript_ code from a href tags -- Zhen-Xjell @ 
http://nukecops.com $tmp = 
""; while 
(ereg("<(/?[[:alpha:]]*)[[:space:]]*([^>]*)>",$str,$reg)) {  
$i = strpos($str,$reg[0]);  $l = strlen($reg[0]);  if 
($reg[1][0] == "/") $tag = strtolower(substr($reg[1],1));  else $tag = 
strtolower($reg[1]);  if ($a = $AllowableHTML[$tag])  if 
($reg[1][0] == "/") $tag = "";  elseif (($a == 1) || 
(empty($reg[2]))) $tag = "<$tag>";  else {   # 
Place here the double quote fix function.   
$attrb_list=delQuotes($reg[2]);   // A VER   
$attrb_list = str_replace("&","&",$attrb_list);   $tag 
= "<$tag" . $attrb_list . ">";  } # Attribs in tag 
allowed  else $tag = "";  $tmp .= substr($str,0,$i) . 
$tag;  $str = substr($str,$i+$l); } $str = $tmp . 
$str; return $str; exit; /* Squash PHP tags 
unconditionally */ $str = str_replace(" return 
$str;}- This function return 
$str variable but at the beginning of this function we can see$str = 
stripslashes($str); .So when we have in index.php 
:filter_text($username);this mean that on variable $username is 

[Full-disclosure] Critical SQL Injection PHPNuke <= 7.8

[SecurityReason - sp3x]

-BEGIN PGP SIGNED MESSAGE-Hash: SHA1
 
SecurityAlert SA027
 
Author: sp3xGPG: http://securityreason.com/key/sp3x.gpgDate: 
15. November 2005
 
Affected software :===
 
PHPNuke version : 7.8 with all security 
fixes/patches
 
Not Affected software 
:===
 
PHPNuke version : 7.9 + patch 3.1
 
Description :=PHP-Nuke is a Web Portal 
System, storytelling software, News system, online community or whatever you 
want to call it. The goal of PHP-Nuke is to have an automated web site to 
distribute news and articles with users system. Each user can submit comments to 
discuss the articles, just similar to Slashdot and many others. Main features 
include: web based admin, surveys, top page, access stats page with counter, 
user customizable box, themes manager for registered users, friendly 
administration GUI with graphic topic manager, option to edit or delete stories, 
option to delete comments, moderation system, Referers page to know who link us, 
sections manager, customizable HTML blocks, user and authors edit, an integrated 
Banners Ads system, search engine, backend/headlines generation (RSS/RDF 
format), and many, many more friendly functions. PHP-Nuke is written 100% in PHP 
and requires Apache Web server, PHP and a SQL (MySQL, mSQL, PostgreSQL, ODBC, 
ODBC_Adabas, Sybase or Interbase). Support for 25 languages, Yahoo like search 
engine, Comments option in Polls, lot of themes, Ephemerids manager, File 
Manager, Headlines, download manager, faq manager, advanced blocks systems, 
reviews system, newsletter, categorized articles, multilanguage content 
management, phpBB Forums included and a lot more.
 
Vulnerabilities :*
 
Critical SQL injection   
:==
 
IN module called "Search" there exists  SQL Injection 
bug, which can lead to stealing admin`s username and password md5 and also some 
sensitive data from database.
 
The problem exist in index.php so first let's see the 
source code of this file.
 
Original code from index.php :- 
-...$query = 
stripslashes(check_html($query, "nohtml"));  if ($type=="stories" 
OR !$type) {
 
   if ($category > 0) 
{$categ = "AND catid='$category' 
";   } else {$categ = 
"";   }   $q = "select s.sid, s.aid, 
s.informant, s.title, s.time, s.hometext, s.bodytext, a.url, s.comments, s.topic 
from ".$prefix."_stories s, ".$prefix."_authors a where s.aid=a.aid $queryalang 
$categ";   if (isset($query)) $q .= "AND (s.title LIKE 
'%$query%' OR s.hometext LIKE '%$query%' OR s.bodytext LIKE '%$query%' OR 
s.notes LIKE '%$query%') ";   if (!empty($author)) $q .= "AND 
s.aid='$author' ";   if (!empty($topic)) $q .= "AND 
s.topic='$topic' ";   if (!empty($days) && $days!=0) 
$q .= "AND TO_DAYS(NOW()) - TO_DAYS(time) <= '$days' 
";   $q .= " ORDER BY s.time DESC LIMIT 
$min,$offset";   $t = $topic;   $result5 = 
$db->sql_query($q);   $nrows = 
$db->sql_numrows($result5);- 
---
 
Here we can see that there is stripslashes() used on $query 
variable . Using stripslashes(); before mysql statment lead to critical Sql 
Injection attack.This Sql Injection will work in every type of Search 
.Here i mean  : 
type=="stories"type=="comments"type=="reviews"type=="users"
 
And also will work when  is_active("Downloads") , 
is_active("Web_Links") or is_active("Encyclopedia").
 
So we have here about 7 Critical SQL injections.
 
Exploit test :- --
 
Enter this into Search field :s%') UNION SELECT 
0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/* -> users 
passwords and logins
 
s%') UNION SELECT 0,pwd,name,aid,0,0,0,0,0,0 FROM 
nuke_authors/* -> nuke_authors passwords and logins
 
Exploit :- -
 
http://securityreason.com/achievement_exploitalert/5
 
How to fix :
 
Download the new version of the script or update.http://securityreason.com/patch/6
 
Greets :
 
Special greets : cXIb8O3 , pkw, pi3, p_e_a  and others 
.
 
Contact :=
 
sp3x[at]securityreason[dot].comwww.securityreason.com-BEGIN PGP 
SIGNATURE-Version: GnuPG v1.2.7 (GNU/Linux)
 
iD8DBQFDedrRhaZ93YsJSwQRArwUAKCaSKtt8nqY66P3xazISfls+1VfoACglrMUyDQ955aOQpjnDMqXPvClE/I==+sx9-END 
PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/