PHPNuke EV 7.7 'search' module 'query' variable SQL injection

Monday, January 09, 2006
###############################################
PHPNuke EV 7.7 'search' module 'query' variable SQL injection
Vendor url: http://nukevolution.com/
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2006/01/
phpnuke-ev-77-search-module-query.html
OSVDB ID:22316Related OSVDB:21002and:20866
BID:16186
Secunia:SA18394Related Secunia:SA17638 andSA17543
################################################

PHPNuke EV 7.7 have a flaw which can be exploited by malicious
people to conduct SQL injection attacks.

Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

#################
versions:
################

PHPNuke EV 7.7 -R1

posible prior versions are afected.

##################
solution:
###################

No solution at this time!!!

A posible fix:

Open file modules/Search/index.php and after this code:
------------------------------------
require_once("mainfile.php");
$instory = '';
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
----------------------------------------------

you can add this other :

------------------------------------

if(eregi("UNION SELECT",$query) || eregi("UNION%20SELECT",$query)){
die();
}
----------------------------------------------
this is a "simple fix " only detect UNION SELECT comand and die
if this is in the query variable... you can write the same code
for UNION ALL SELECT or other varians of xploit


####################
Timeline
####################

discovered:21-11-2005
vendor notify:29-12-2005 (forums)
vendor response:-------
vendor fix:-----
disclosure:09-01-2006

###################
example:
###################

go to
http://[Victim]/modules.php?name=Search

and write in the search box this proof

s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*

all users hashes are available to view..

#################### €nd ########################

Thnx to estrella to be my ligth


--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Post by Lostmon in 7:45:00 AM
Subscribe to: Posts (Atom)
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...