I am posting the necessary reply for all phpNuke users for part 2.
I will analyze the effects of part 1 shortly.
FILE: modules/Web_Links/index.php
Latest RavenNuke and Nuke Patched Core releases
Unaffected, you are fine
Current Patched 3.3 release for phpNuke 7.8 and lower
The function ratelink does not filter $lid, perhaps allowing CSS issues
Also, this fix adds a filter to the ttitle variable
Current Patched 3.3 release for phpNuke 7.9 and higher
$lid filtering is placed improperly in releases for 7.9 and 8.0
CHANGE
Code:
(Twice, one in function viewlinkcomments and function viewlinkeditorial)
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'"));
$ttitle = filter($row['title'], "nohtml");
$lid = intval(trim($lid));
TO
$lid = intval(trim($lid));
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'"));
$ttitle = filter($row['title'], "nohtml");
OpenTable();
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'"));
TO
OpenTable();
$lid = intval($lid);
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'"));
_________________ Evaders99 Webmaster Administrator Fighting is terrible, but not as terrible as losing the will to fight.
- SW:Rebellion Network - Evaders Squadron Coding -
In a very contrived way, I added some SQL code in mainfile.php to allow a typical UNI0N attack. If it got through all the filtering, then this code would load and show the admin's password
Nuke Sentinel
Anyone using Nuke Sentinel is secure.
Sentinel uses a function to clean up the strings before it is checked, thus this vulnerability does not exist.
function completevotefooter($lid, $ratinguser) {
global $prefix, $db, $sitename, $module_name;
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM
".$prefix."_links_links where lid='$lid'"));
$ttitle = filter($row['title'], "nohtml");
include("modules/$module_name/l_config.php");
$lid = intval($lid);
TO
function completevotefooter($lid, $ratinguser) {
global $prefix, $db, $sitename, $module_name;
$lid = intval($lid);
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM
".$prefix."_links_links where lid='$lid'"));
$ttitle = filter($row['title'], "nohtml");
include("modules/$module_name/l_config.php");
_________________ Evaders99 Webmaster Administrator Fighting is terrible, but not as terrible as losing the will to fight.
- SW:Rebellion Network - Evaders Squadron Coding -
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
![Welcome to Evaders Squadron Coding [ESC]](themes/Onset/images/logo.gif){kind=logo}
