---------------------------------------------------------------------- Secunia customers receive relevant and filtered advisories. Delivery is done via different channels including SMS, Email, Web, and https based XML feed. http://corporate.secunia.com/trial/38/request/ ---------------------------------------------------------------------- TITLE: PHP-Nuke SQL Filter Bypass and SQL Injection Vulnerabilities SECUNIA ADVISORY ID: SA24949 VERIFY ADVISORY: http://secunia.com/advisories/24949/ CRITICAL: Moderately critical IMPACT: Security Bypass, Manipulation of data, Exposure of sensitive information WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ DESCRIPTION: Aleksandar has discovered some vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks and to bypass certain security restrictions. 1) The product's SQL injection filter checks for the string "/*" but not for the URL-encoded version "%2f%2a". This can be exploited to bypass the SQL injection filter. 2) Input passed to the "lid" parameter through modules.php to modules/Web_Links/index.php (when "l_op" is set to "viewlinkcomments", "viewlinkeditorial", or "ratelink") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows e.g. retrieving administrator password hashes, but requires that "magic_quotes_gpc" is disabled, and that the attacker has knowledge of the database table prefix. 3) Input passed to the "lid" parameter through modules.php to modules/Downloads/index.php (when "d_op" is set to "viewdownloadeditorial", "viewdownloadcomments", or to "ratedownload") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows e.g. retrieving administrator password hashes, but requires that "magic_quotes_gpc" is disabled, and that the attacker has knowledge of the database table prefix. The vulnerabilities are confirmed in version 7.9. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised and that the SQL injection filter checks for both normal and URL-encoded versions of dangerous strings. Set "magic_quotes_gpc" in php.ini to On. Use another product. PROVIDED AND/OR DISCOVERED BY: Aleksandar ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------