'PHP-Nuke <= 7.9 Journal module (search.php) "forwhat" SQL'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    PHP-Nuke <= 7.9 Journal module (search.php) "forwhat" SQL
From:       paisterist.nst () gmail ! com
Date:       2006-10-31 16:42:24
Message-ID: 20061031164224.31630.qmail () securityfocus ! com
[Download RAW message or body]

/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST] - Advisory 29 - 2006-10-31
--------------------------------------------------------
Program: PHP-Nuke
Homepage: http://www.php.net
Vulnerable Versions: PHP-Nuke <= 7.9
Risk: Medium
Impact: Medium Risk

-==PHP-Nuke <= 7.9 Journal module (search.php) "forwhat" SQL Injection \
                vulnerability==-
---------------------------------------------------------

- Description
---------------------------------------------------------
PHP-Nuke is a news automated system specially designed to be used in Intranets and \
Internet. The Administrator has total control of his web site, registered users, and \
he will have in the hand a powerful assembly of tools to maintain an active and 100% \
interactive web site using databases.

- Tested
---------------------------------------------------------
localhost & many sites

- Vulnerability Description
---------------------------------------------------------

In /modules/Journal/search.php the "forwhat" variable is not sanitized correctly. \
Here is the vulnerable code:

==[ /modules/Journal/search.php 125-136 ]==========================
[...]
if ($bywhat == 'aid'):
	if ($exact == '1') {
            $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, \
j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, \
".$user_prefix."_users u WHERE u.username=j.aid and j.aid='$forwhat' order by j.jid \
DESC";  } else {			
            $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, \
j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, \
".$user_prefix."_users u WHERE u.username=j.aid and j.aid like '%$forwhat%' order by \
j.jid DESC";  } elseif ($bywhat == 'title'):
        $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, \
j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u \
WHERE u.username=j.aid and j.title like '%$forwhat%' order by j.jid DESC";  elseif \
($bywhat == 'bodytext'):  $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, \
j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, \
".$user_prefix."_users u WHERE u.username=j.aid and j.bodytext LIKE '%$forwhat%' \
order by j.jid DESC";  elseif ($bywhat == 'comment'):
        $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, \
j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u, \
".$user_prefix."_journal_comments c WHERE u.username=j.aid and c.rid=j.jid and \
c.comment LIKE '%$forwhat%' order by j.jid DESC";  endif;
[...]
==[ end /modules/Journal/search.php ]==============================

magic_quotes_gpc php directive must be turned Off so the simple quotes (') are not \
filtered. Also we have to know the prefix  used for the database tables ("nuke_" by \
default).

In this way, bypassing the SQL Injection Protection, like using someone like \
'/**/UNION ' and not ' UNION ' in our sql injections, we can get the admin md5 hash \
without any problems.

==Pseudo-Code Proof of Concept exploit==
<?
/*

Neo Security Team - Pseudo-Code Proof of Concept Exploit
http://www.neosecurityteam.net
Paisterist

*/
set_time_limit(0);
$host="localhost";
$path="/phpnuke/";
$port="80";
$fp = fsockopen($host, $port, $errno, $errstr, 30);
$data=""; /* Here the variables, like "bywhat" and "forwhat", with the SQL Injection \
*/ 

if ($fp) {
    /* we put the POST request on $p variable, sending the data saved on $data. */

    fwrite($fp, $p);

    while (!feof($fp)) {
        $content .= fread($fp, 4096);
    }

    preg_match("/([a-zA-Z0-9]{32})/", $content, $matches);

    if ($matches[0])
    print "<b>Hash: </b>".$matches[0];
}
?>
==Pseudo-Code Proof of Concept exploit==

Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors \
table.

- How to fix it? More information?
--------------------------------------------------------

You can found a patch on http://www.neosecurityteam.net/foro/

Also, you can modify the line 61 of /modules/Journal/search.php, adding slashes \
before the simple quotes with the addslashes() function:

==[ /modules/Search/index.php 59-62 ]==========================
[...]
else :
    $forwhat = filter($forwhat, "nohtml");
    $forwhat = addslashes(filter($forwhat, "nohtml"));
    endif;
[...]
==[ end /modules/Search/index.php ]==============================

That's a momentary solution to the problem. I recommend to download the PHP-Nuke 8.0 \
version in the next days... it is not  free at the moment.

- References
--------------------------------------------------------
http://www.neosecurityteam.net/index.php?action=advisories&id=29

- Credits
--------------------------------------------------------
Search module SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] \
gmail[dot]com

[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/


- Greets
--------------------------------------------------------
HaCkZaTaN
K4P0
Daemon21
Link
0m3gA_x
LINUX
nitrous
m0rpheus
nikyt0x
KingMetal
Knightmare

Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@

/* EOF */


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic