[40348] in bugtraq
Re: PHP Nuke <= 7.8 Multiple SQL Injections
daemon@ATHENA.MIT.EDU (Matthias Jim Knopf)
Fri Sep 16 18:18:27 2005
Date: Fri, 16 Sep 2005 00:44:38 +0200 (MEST)
From: Matthias Jim Knopf <jim@users.de>
Reply-To: jim999@gmx.net
To: Paul Laudanski <zx@castlecops.com>
Cc: r.verton@gmail.com, bugtraq@securityfocus.com, bugs@securitytracker.com,
moderators@osvdb.org, news@securiteam.com, vuln@secunia.com
In-Reply-To: <Pine.LNX.4.44.0509140031510.24749-100000@bugsbunny.castlecops.com>
Message-ID: <Pine.LNX.4.21.0509160039510.29826-100000@laura.nettrade.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
What do you gain from that? In what way would you think your advice did
ANYTHING GOOD?
You did neither issue a "addslashes()" as appropriate for SQL-commands,
nor did you explain, why a variable set by a POST or a COOKIE could be
worse than anything you could give any URL by appending '?name=...' or
'&name=...' (->GET vars)
Greetings, Matthias "jim" Knopf
--
GPG/PGP encrypted mails welcome!
Windose Milenium Bug
> > PHP Nuke 7.8 is prone to multiple SQL injection vulnerabilities.
> > These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
> >
> > In the modules.php
> >
> > $result = $db->sql_query("SELECT active, view FROM ".$prefix."_modules WHERE title='$name'");
> >
> > The $name variable is not checked so you could inject malicious SQL Code. In an file which is included whe have the following code:
[...]
> The $name variable and others like $sid are expected via $_GET and not
> $_POST. The proper start to sanitizing the data here is to ensure that
> $name is obtained via $_GET and not injected by $_POST, $_COOKIE, or
> anything else.
[...]
> To be specific, find the modules.php file and check for the first instance
> of "$name". An example:
>
> "if (isset($name)) {"
>
> Prior to that, simply put in such a line:
>
> $name = $_GET['name'];
