>> Site Map >> Forums >> PHP-Nuke Security
Forum module - topics in forum:
PHP-Nuke Security - Been hacked? or have a question about securing your site, here's the place.
[PHP Nuke 7.8] Multiple SQL Injections
Here we go, another vulnerabilty in PHP-Nuke 7.7/7.8:
(This vulnerability has been fix allready in the patches)
| Quote: : |
| [NewAngels Advisory #7]PHP Nuke <= 7.8 Multiple SQL Injections ============================================================================= Software: PHP Nuke 7.8 Type: SQL Injections Risk: High Date: Sep. 10 2005 Vendor: PHP-Nuke (phpnuke.org) Credit: ======= Robin 'onkel_fisch' Verton from it-security23.net Description: ============ PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases. [http://www.phpnuke.org/] Vulnerability: ============== PHP Nuke 7.8 is prone to multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. In the modules.php $result = $db->sql_query("SELECT active, view FROM ".$prefix."_modules WHERE title='$name'"); The $name variable is not checked so you could inject malicious SQL Code. In an file which is included whe have the following code: $queryString = strtolower($_SERVER['QUERY_STRING']); if (stripos_clone($queryString,'%20union%20') OR stripos_clone($queryString,'/*') OR stripos_clone($queryString,'*/union/*') OR stripos_clone($queryString,'c2nyaxb0')) { header("Location: index.php"); die(); } [...] if (!ini_get("register_globals")) { import_request_variables('GPC'); } So you can use UNION in a GET var. But because they use register_globals or impor_request_variables you can send the malicous SQL-Code via POST so it is not checked if you insert an "union". http://www.example.com/modules.php POST: name=' OR 1=1/* will produce an error, neither http://www.example.com/modules.php POST: name=' OR 1=2/* will only tell you taht the requestet 'modul' is not active, so you can read out the admin password hahs via blind injections. Additionaly there are a few SQL-Injections in the modules. Here a few examples: http://www.example.com/modules.php?name=News&file=article&sid=[SQL] - here the same as above, send this via POST to bypass the 'union'-cover http://www.example.com/modules.php?name=News&file=comments&Reply&pid=[SQL] http://www.example.com/modules.php?name=News&file=comments&op=Reply&pid=[SQL] http://www.example.com/modules.php?name=News&file=comments&op=Reply&sid=[SQL] Greets: ============== CyberDead, atomic, sirius_ Whole secured-pussy.de Team Zealots  |
More information:
http://www.securityfocus.com/bid/14815/info
http://www.nukefixes.com/ftopict-1906.html
Recommended fixes/modules/addons:
Chatservs Patches http://www.nukeresources.com/downloads-cat97.html
NukeSentinel™ http://www.nukescripts.net/modules.php?name=Downloads&op=getit&lid=1022
or
Protector
http://www.phpnuke-nederland.com/download-file-73.html
Also read:
PHP-Nule 7.7/7.8 Support
http://phpnuke-uk.net/modules.php?name=Forums&file=viewtopic&p=26050
BL
Hacked :-(
Hi all, not a good way to start off as first post, but anyway here i go.
I run a disco site wich has been hacked. I know versions 7.8 & 7.9 are not supported but I could not find the patch for the sql injection.
here is the message left on my site with a flag & eagle -
H4Ck3D By Crashinside & DarkSide
Sorry Admin!
Your site is vulnerable to Sql-Injection in Search Module''s!
I have disactivate this module!
Update Site for Any Inconvenient!
Hacked By Crahinside & DarkSide!
First time hacked. Bummer to be precise.
Any of you people give advise please?
Thanks in advance.
Steve
Advice is at the frontpage of this website.
Anyone using 7.7+ is vulnerable!
Avoid those version, please!
Install PHP-Nuke 7.6pl3.1 and Nuke Sentinel!
Download the downgrader 78-76, to downgrade your website.
Just remove all the files, upload the files from the PHP-Nuke 7.6pl3.1 package and run the downgrade78-76.php file.
BL
