Possible bug in PHPNuke and other CMS's

  Post new topicReply to topicPrintable Version
<< View previous topic View next topic >>
Share: Del.icio.us  Digg  Google  Spurl  Blink  Furl  Y! MyWeb  
#1   Possible bug in PHPNuke and other CMS's
Telli
Site Admin
Telli has been a member for over 20 year's 20 Year Member
Occupation: Self Employed
Age: 45
Gender: Male
Fav. Sports Team: Detroit Red Wings
Website:
Status: Offline
Joined: May 26, 2003
1.06 posts per day
Posts: 8089
Points: 494,430
   
There is a vulnerability in PHPNuke that permits execution of arbitrary SQL queries on a database located in the same server of an attacker's account. This is the procedure: first of all attacker must create a symlink pointing to victim's db directory in PHPNuke home directory because of mainfile.php include method. After that he can build a simple php code executing a query to the PHPNuke database.

Example:

<?php
require_once ("/location_of_victim's_PHPNuke/mainfile.php");
$sql = $db->sql_query("SELECT foo,bar FROM ".$prefix."_something");
while($record = $db->sql_fetchrow($sql))
~  echo "Username: $record[foo]\n<br>\nPassword: $record[bar]\n<br><br>\n";
unset($sql);
?>


Queries are executed normally because config.php (which is included by mainfile.php) provides the information in order to connect to the chosen database. This is a very easy way to deface PHPNuke-based websites or adding and removing users, and so on.

This "homemade patch" goes in config.php, just below connection variables. It checks domain name provided by web server with the one provided by the user and grants execution of SQL queries only if domain names match.

Code:


$domainname = "www.domain.com";
if ($_SERVER['SERVER_NAME'] != $domainname) {
echo "Access denied";
die();
}


source - [ Register or login to view links on this board. ]



_________________
The path of the righteous man is beset on all sides by the inequities of the selfish and the tyranny of evil men. Blessed is he, who in the name of charity and good will, shepherds the weak through the valley of darkness, for he is truly his brother's keeper and the finder of lost children. And I will strike down upon thee with great vengeance and furious anger those who would attempt to poison and destroy my brothers. And you will know my name is the Lord when I lay my vengeance upon thee. Ezekiel 25:17
Back to top Reply with quote
#2   
jcb
CZ Active Member
 Codezwiz Site Donator
jcb has been a member for over 20 year's 20 Year Member
uk.gif
Occupation: Soldier
Age: 48
Gender: Male
Fav. Sports Team: England
Status: Offline
Joined: Oct 20, 2003
0.02 posts per day
Posts: 135
Points: 7,618
   
Hi Telli,

I have applied this patch, is there anything else I need to know or will this just help protect my site silently in the backround?

Regards

Jon




_________________
PHP Super NooB
Back to top Reply with quote
#3   re: Possible bug in PHPNuke and other CMS's
jabba
CZ Newbie
jabba has been a member for over 19 year's 19 Year Member
usa.gif texas.gif
Gender: Male
Website:
Status: Offline
Joined: Mar 23, 2005
0.00 posts per day
Posts: 12
Points: 334
   
Thanks for the info Telli.
It'd be a good idea for everyone to sign up for the Security Focus bug traq mailing list or at the very least create an RSS feed on your site. [ Register or login to view links on this board. ]



Back to top Reply with quote
#4   re: Possible bug in PHPNuke and other CMS's
Krewl
CZ Newbie
Krewl has been a member for over 18 year's 18 Year Member
Gender: Male
Status: Offline
Joined: Apr 17, 2005
0.00 posts per day
Posts: 1
Points: 24
   
Added it to the config... but got this when accessing Forums or PM Module

message_die() was called multiple times. This isn't supposed to happen. Was message_die() used in page_tail.php?


Checking the files for the die messages, not sure why... The mainpage loads fine with the code snippet in place.


Back to top Reply with quote
#5   
akamattz
CZ Newbie
akamattz has been a member for over 13 year's 13 Year Member
philippines.gif
Gender: Male
Fav. Sports Team: Mountain Biking
Website:
Status: Offline
Joined: Dec 12, 2010
0.00 posts per day
Posts: 3
Points: 0
 Yahoo Messenger  
hi telli ..

this is an informative post thanks for this man.! icon_biggrin.gif



Back to top Reply with quote
Display posts from previous:      
Add To: Del.icio.us  Digg  Google  Spurl  Blink  Furl  Y! MyWeb  
<< View previous topic View next topic >>
Post new topicReply to topic

Jump to 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum