Title: PHP-Nuke Remote SQL Query Manipulation Vulnerability
Severity: HIGH
Description:
PHP-Nuke is a website creation/maintainence tool written in PHP3.
PHP-Nuke reportedly contains a vulnerability introduced in a new feature which may permit remote attackers to execute almost arbitrary SQL queries.
In version 5.x of PHP-Nuke, the administrator can set an arbitrary prefix for the database table names. Because it is a prefix for PHP-Nuke tables, this variable is included in many SQL queries used by PHP-Nuke.
If remote clients can submit their own value for 'prefix', they can alter SQL query strings so that almost arbitrary database operations are performed.
By default, most PHP-Nuke scripts include a PHP file called 'mainfile.php' containing library code and constants for use throughout the application. 'prefix' is defined in this file, and scripts that include 'mainfile.php' cannot be exploited by remote attackers as the 'prefix' value defined in 'mainfile.php' will override a remotely supplied value. In some scripts, attackers may be able to cause 'mainfile.php' to not be included, making it possible to supply an arbitrary 'prefix' value. The file, 'article.php', is reportedly such a script. If the 'mainfile' variable is passed to the script remotely, 'mainfile.php' will not be included by 'article.php'.
Once the file is not included in a PHP script, the attacker may supply an arbitrary 'prefix' value. The 'prefix' value is used in the following manner:
UPDATE $prefix"._stories." SET..
A remote attacker can supply a value for prefix that can assume control over the query after the 'UPDATE' statement. In this example, an attacker can cause an arbitrary table to be updated in any way permitted by database access controls. Attackers may, for example, be able to 'UPDATE' all of the administrators passwords to values known by the attacker. She could then proceed to log into PHP-Nuke as an administrator.
This may permit remote attackers to delete or corrupt data, elevate PHP-Nuke privileges or even possibly gain local access to the database server.
Affected Products:
- Francisco Burzi PHP-Nuke 5.0.0
- Francisco Burzi PHP-Nuke 5.0.1
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
