[VIM] Old PHP-Nuke/PostNuke SQL injection issues - clarification
Steven M. Christey
coley at mitre.org
Fri Dec 1 22:41:05 EST 2006
CrAzY CrAcKeR reported a couple issues in June - one in PHP-Nuke and
one in PostNuke - without naming either product, so these might have
been missed.
=== PHP-Nuke ===
CVE-2006-6233
Ref: Module's Name Content<<--V1.0 SQL injection
http://www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded
Web searches on the "list_pages_categories" eventually led to the
Content module in PHP-Nuke. Relevant code, from an older version 6.0,
is:
html/modules/Content/index.php:
function showpage($pid, $page=0) {
...
$result = sql_query("SELECT * from ".$prefix."_pages where pid='$pid'", $dbi);
...
sql_query("update ".$prefix."_pages set counter=counter+1 where pid='$pid'", $dbi);
also:
function list_pages_categories($cid) {
...
$result = sql_query("SELECT pid, title, subtitle, clanguage from ".$prefix."_pages WHERE active='1' AND cid='$cid' order by date", $dbi);
Note that version 7.9 does not have the problem:
function showpage($pid, $page=0) {
...
$pid = intval($pid);
and:
function list_pages_categories($cid) {
...
$cid = intval($cid);
I didn't check other versions.
=== PostNuke ===
CVE-2006-6233
BUGTRAQ:20060617 Module's Name Downloads <<--V 7 SQL injection
URL:http://www.securityfocus.com/archive/1/archive/1/437832/100/200/threaded
I did not access any old versions of PostNuke, but the relevant
function (viewdownloaddetails) is in dl-downloaddetails.php in
PostNuke 0.764, although the $lid variable is checked with
is_numeric(). So, I don't know what versions (if any) are affected,
but have an inquiry into the developer.
- Steve
More information about the VIM
mailing list