PHP-Nuke MS-Analysis Module HTTP Referrer Field SQL Injection Vulnerability
BID:9948
Info
PHP-Nuke MS-Analysis Module HTTP Referrer Field SQL Injection Vulnerability
| Bugtraq ID: | 9948 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 22 2004 12:00AM |
| Updated: | Mar 22 2004 12:00AM |
| Credit: | Janek Vind <[email protected]> is credited with the disclosure of these issues. |
| Vulnerable: |
MS-Analysis Website Traffic Analyzer 2.0 |
| Not Vulnerable: | |
Discussion
PHP-Nuke MS-Analysis Module HTTP Referrer Field SQL Injection Vulnerability
Reportedly the MS-Analysis module is prone to a remote SQL injection vulnerability. This issue is due to a failure to properly sanitize user supplied HTTP header input before using it in an SQL query.
As a result of this, a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It may be possible for an attacker to disclose the administrator password hash by exploiting this issue.
Reportedly the MS-Analysis module is prone to a remote SQL injection vulnerability. This issue is due to a failure to properly sanitize user supplied HTTP header input before using it in an SQL query.
As a result of this, a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It may be possible for an attacker to disclose the administrator password hash by exploiting this issue.
Exploit / POC
PHP-Nuke MS-Analysis Module HTTP Referrer Field SQL Injection Vulnerability
No exploit is required to leverage this issue. The following proof of concept outlines a 'Referer' field that is reported to be sufficient to leverage this issue:
"http://www.example.com/search?q=Maty+Scripts%27UNION SELECT pwd from nuke_authors where name%3d%27God%27 AND IF(mid(pwd,1,1)%3d3,benchmark(150000,md5(1337)),1)/*"
Where www.example.com must be a considered a considered a valid search engine by the MS-Analysis module.
No exploit is required to leverage this issue. The following proof of concept outlines a 'Referer' field that is reported to be sufficient to leverage this issue:
"http://www.example.com/search?q=Maty+Scripts%27UNION SELECT pwd from nuke_authors where name%3d%27God%27 AND IF(mid(pwd,1,1)%3d3,benchmark(150000,md5(1337)),1)/*"
Where www.example.com must be a considered a considered a valid search engine by the MS-Analysis module.
Solution / Fix
PHP-Nuke MS-Analysis Module HTTP Referrer Field SQL Injection Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
PHP-Nuke MS-Analysis Module HTTP Referrer Field SQL Injection Vulnerability
References:
References:
- MS-Analysis Website Analysis Module (Maty Scripts)
- PHPNuke INP Homepage (PHPNuke INP)
- [waraxe-2004-SA#011 - Multiple vulnerabilities in MS Analysis v2.0 module for P (Janek Vind