I have also discovered a Path Disclosure on PHP-Nuke 6.x, and others? Exploit: http://victim.x/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=[any_words] http://victim.x/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink If [ any_words ] has a nonnumerical value or a NULL value, this will produce "path disclosure". In addition to this form, since Ripe has informed, a SQL Injection can be made. Patch (this is a temporal patches, but... is running) In the viewlink function insert the following thing: ------------------------[ CODE ]------------------------ if(!isset($cid) || $cid == NULL || $cid == "" || !is_numeric ($cid)) { echo "I don't like you >:|"; exit(); } ------------------------[ CODE ]------------------------ ------ XyborG ------ Thanks to Verstand & Chiz0 > /-----------------------------------------------------------------------------\ > | 7 A 6 9 - A d v C: > 010 > |-----------------------------------------------------------------------------| > | > | [ PHP-Nuke SQL injection ] > | > \-----------------------------------------------------------------------------/ > | > 11/05/2003 | > > \------------/ > > Data. > ------ > > + Type: SQL injection. > > + Software: PHP-Nuke > > + Versions: 6.x (including 6.5) y 5.x > > + Exploit: Yes > > + Author: Albert Puigsech Galicia > > + Contact: ripe@7a69ezine.org > > > > > > Introduction. > ------------- > > PhpNuke is a well known content management system programed > in PHP by Francisco Bucci, a lot of people use it because it is very > easy to install and manage. > > Description. > ------------ > > Web_Links module, included on PHP-Nuke base package, has multiple > SQL injection (more than 20). The web user may be able to insert his own > SQL code in most of the numeric values included in querys, because the > plugin coder didn't use inverted comas. > > > > > Explotation. > ------------ > > If the SQL agent allow us to use an UNION sentence (like MySQL 4 > does) it is possible to extract information about anything inside the > database, of course this includes passwords, personal data, etc. > Otherwise, > without UNION posibility we can't access to other SQL tables that web > links > management, so the only posiblity is to play with hits and votes. > > Some examples: > > [*] On viewlink function: > > $result = sql_query("select title,parentid from > ".$prefix."_links_categories where cid=$cid", $dbi); > > > http://victim/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=2%20<our_code> > > > [*] Vim index.php... There are a lot. > > > > > Patch. > ------- > > There is no patch for this vulnerability. But is easy to add > inverted > comas on all numeric values. > > Notes. > ------ > > I realy sorprised about PHP-Nuke usage. I can't understand that a > software with PHP-Nuke's security historial may be used. Lot of > vulnerabilty have been discovered on this software in last months, and > there > are more bug. Recomandation for PHP-Nuke users: Migrate! > > > -- > --------------------------- > Albert Puigsech Galicia > > http://ripe.7a69ezine.org > --------------------------- > -- XyBØrG WebMaster de: www.RZWEB.com.ar Powered By Dattatec.Com +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
