PHP-Nuke 'modules.php' Input Validation Flaw in 'cid' Variable Lets Remote Users Inject SQL Commands
|
|
SecurityTracker Alert ID: 1007904
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 8 2003
|
Impact: Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 6.6; other versions may also be affected
|
Description: An input validation vulnerability was reported in PHP-Nuke. A remote user can inject SQL commands via the 'cid' variable in modules.php.
It is reported that modules.php does not properly validate user-supplied input in the 'cid' variable. [Editor's note: This variable
has been subject to cross-site scripting attacks as described in past alerts.]
A remote user can supply a specially crafted URL
to cause SQL commands to be executed on the underlying database.
A demonstration exploit URL is provided:
http://[target]/modules.php?name=Downloads&d_op=viewdownlo
ad&cid=59%20or%20cid=2
|
Impact: A remote user can inject SQL commands. This can be exploited, for example, to retrieve hashed passwords from the database.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.phpnuke.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: mod <rottyfig12@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 8 Oct 2003 15:37:38 -0000
From: mod <rottyfig12@hotmail.com>
Subject: PHP-Nuke SQL Injection
|
Version: PHP-Nuke 6.6
Language: PHP
Web site: phpnuke.org
Status: Vendor has been notified
There's an SQL injection hole in modules.php.
http://phpnuke.org/modules.php?name=Downloads&d_op=viewdownload&cid=59%20or%20cid=2
This is from not filtering 'cid', it should be checked that it is only numeric with is_numeric(). Thi
s hole could allow viewing of
password hashes if the database is mysql 4.x.
This may effect other versions.
|
|
