SW:Rebellion NetworkHosted by the SW:Rebellion Network
Welcome to Evaders Squadron Coding [ESC]
For phpNuke services: you can check out all the Coding Services we have to offer!
Home Forums Nuke Patched Core Coding Services Webmaster Services Personal
  Login/Create an Account    

Forums
· Forums FAQ
· Search
· Usergroups
· Profile
· Private Messages

Support Us
This site runs with your support. Please donate:

User Info/Login
Welcome, Anonymous
Nickname
Password
Security Code: Security Code
Type Security Code

(Register)
Membership:
Latest: kurkistan
New Today: 2
New Yesterday: 2
Overall: 9616
People Online:
Visitors: 11
Members: 0
Total: 11

Link to Us

Affliates
RPG Boards Hosting

 Evaders Squadron Coding [ESC] :: View topic - Security: PHP-Nuke SQL Filter Bypass and SQL Injection Vulne
Security: PHP-Nuke SQL Filter Bypass and SQL Injection Vulne

 
Post new topic   Reply to topic    Evaders Squadron Coding [ESC] Forum Index -> Coding Services
View previous topic :: View next topic  
Author Message
Evaders99



Joined: Jan 11, 2002
Posts: 3063
Location: USA
PostPosted: Fri Apr 20, 2007 2:51 pm    Post subject: Security: PHP-Nuke SQL Filter Bypass and SQL Injection Vulne Reply with quote
In response to the report here
http://secunia.com/advisories/24949/


I am posting the necessary reply for all phpNuke users for part 2.
I will analyze the effects of part 1 shortly.

FILE: modules/Web_Links/index.php

Latest RavenNuke and Nuke Patched Core releases
Unaffected, you are fine

Current Patched 3.3 release for phpNuke 7.8 and lower
The function ratelink does not filter $lid, perhaps allowing CSS issues
Also, this fix adds a filter to the ttitle variable

Change
Code:

OpenTable();
$ttitle = htmlentities($ttitle);

TO

OpenTable();
$lid = intval($lid);
$ttitle = check_html($ttitle, 'nohtml');
$ttitle = htmlentities($ttitle);




Current Patched 3.3 release for phpNuke 7.9 and higher

$lid filtering is placed improperly in releases for 7.9 and 8.0

CHANGE

Code:


(Twice, one in function viewlinkcomments and function viewlinkeditorial)

$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'"));
$ttitle = filter($row['title'], "nohtml");
$lid = intval(trim($lid));

TO

$lid = intval(trim($lid));
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'"));
$ttitle = filter($row['title'], "nohtml");



OpenTable();
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'"));

TO

OpenTable();
$lid = intval($lid);
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'"));

_________________
Evaders99
SW:Rebellion Fans! Webmaster
Star Wars roleplaying community! Administrator

Fighting is terrible, but not as terrible as losing the will to fight.
- SW:Rebellion Network - Evaders Squadron Coding -

The cake is a lie.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
Evaders99



Joined: Jan 11, 2002
Posts: 3063
Location: USA
PostPosted: Fri Apr 20, 2007 3:34 pm    Post subject: Reply with quote
To Part 1:

In a very contrived way, I added some SQL code in mainfile.php to allow a typical UNI0N attack. If it got through all the filtering, then this code would load and show the admin's password

Nuke Sentinel

Anyone using Nuke Sentinel is secure.
Sentinel uses a function to clean up the strings before it is checked, thus this vulnerability does not exist.

includes/nukesentinel.php
Code:

$nsnst_const['query_string'] = st_clean_string(get_query_string());



Without Sentinel - using the Patched files

We need to go ahead and add some additional blocks

FILE: mainfile.php

I have posted the changes in this text file

http://evaders.swrebellion.com/evaders99/nuke_filtering1.txt

If you need a visual to where these changes go, see
http://evaders.swrebellion.com/modules.php?name=NukeWrap&page=cvsrepos/mainfile.php
Hit the link to Diff to previous 1.43
_________________
Evaders99
SW:Rebellion Fans! Webmaster
Star Wars roleplaying community! Administrator

Fighting is terrible, but not as terrible as losing the will to fight.
- SW:Rebellion Network - Evaders Squadron Coding -

The cake is a lie.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
Evaders99



Joined: Jan 11, 2002
Posts: 3063
Location: USA
PostPosted: Sat Apr 21, 2007 10:36 pm    Post subject: Reply with quote
An addendum to Part 2 (thanxs chatserv!)


For Patched 3.3 - phpNuke 7.9 and higher

Code:

function completevotefooter($lid, $ratinguser) {
   global $prefix, $db, $sitename, $module_name;
   $row = $db->sql_fetchrow($db->sql_query("SELECT title FROM
".$prefix."_links_links where lid='$lid'"));
   $ttitle = filter($row['title'], "nohtml");
   include("modules/$module_name/l_config.php");
   $lid = intval($lid);

TO

function completevotefooter($lid, $ratinguser) {
   global $prefix, $db, $sitename, $module_name;
   $lid = intval($lid);
   $row = $db->sql_fetchrow($db->sql_query("SELECT title FROM
".$prefix."_links_links where lid='$lid'"));
   $ttitle = filter($row['title'], "nohtml");
   include("modules/$module_name/l_config.php");

_________________
Evaders99
SW:Rebellion Fans! Webmaster
Star Wars roleplaying community! Administrator

Fighting is terrible, but not as terrible as losing the will to fight.
- SW:Rebellion Network - Evaders Squadron Coding -

The cake is a lie.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
Display posts from previous:   
Post new topic   Reply to topic    Evaders Squadron Coding [ESC] Forum Index -> Coding Services All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

^Top
Home Your Account Forums Downloads F.A.Q. Submit News Hosting Contact Us

© 2005 - 2007 by Evaders99. All Rights Reserved.
All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters.
You can syndicate our news using the file backend.php
 PHP-Nuke Copyright © 2005 by Francisco Burzi. This is free software, and you may redistribute it under the GPL.
PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.97 Seconds