Nuke ET 'search' module 'query' variable SQL injection

Monday, November 21, 2005
###############################################
Nuke ET 'search' module 'query' variable SQL injection
Vendor url: www.truzone.org
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2005/11/
nuke-et-search-module-query-variable.html
OSVDB ID:21002
Secunia:SA17638
BID:15519
################################################

Nuke ET have a flaw which can be exploited by malicious people to
conduct SQL injection attacks.

Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

#################
versions:
################

Nuke ET 3.2
posible prior versions are afected.

##################
solution:
###################

the vendor has release a fix

http://www.truzone.org/modules.php?name=
DescNuke&d_op=getit&lid=1557


aply the fix as fast posible

####################
Timeline
####################

discovered:21-11-2005
vendor notify:21-11-2005
vendor response:21-11-2005
vendor fix:21.11.2005
disclosure:21-11-2005

###################
example:
###################

go to
http://[Victim]/modules.php?name=Search

and write in the search box this proof

s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*

all users hashes are available to view..

#################### €nd ########################

Thnx to estrella to be my ligth
Thnx to Truzone
Thnx to RiXi
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...