Great Reviews!Need help setting up your website, installing Apache, PHP, MySQL, or PhpNuke?Need help customizing or designing scripts?Please contact me via the Contact Us option for further details and pricing.
IMPACT: Manipulation of data, Exposure of sensitive information product/2385/
DESCRIPTION: Paisterist has discovered a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks.
Input passed to the "cat" parameter through index.php to blocks/block-Old_Articles.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation e.g. allows retrieval of administrator usernames and password hashes, but requires that "register_globals" is enabled, "magic_quotes_gpc" is disabled, and the attacker knows the prefix for the database tables. The vulnerability is confirmed in version 7.9. Other versions may also be affected.
SOLUTION: Edit the source code to ensure that input is properly sanitised. Use another product.
PROVIDED AND/OR DISCOVERED BY: Paisterist
ORIGINAL ADVISORY: http://www.neosecurityteam.net/advisories/PHP-Nuke-7.9-Old-Articles-Block-cat-SQL-Injection-vulnerability-31.html
Posted on Wednesday, January 17, 2007 @ 23:28:52 EST by Raven
Re: PHP-Nuke *cat* Old Articles Block SQL Injection (Score: 1) by Gremmie on Thursday, January 18, 2007 @ 11:56:53 EST Not registered user
I looked at the code, and a simple
$cat = intval($cat);
after the global statement should fix that.
However, that begs the question...why does the block rely on some random global variable like $cat? I looked for $cat in mainfile.php and did not find it. I think that block is using several other globals that aren't defined anywhere. Could it be this block is really old and was not updated? Anyway, I didn't understand where $cat was coming from and all that code that uses it should probably get removed. I cannot recall ever seeing anything that allows the Old Articles block to display old articles from a certain category only.
Re: PHP-Nuke *cat* Old Articles Block SQL Injection (Score: 1) by oprime2001 on Friday, January 19, 2007 @ 11:49:08 EST Not registered user
Wouldn't NukeSentinel pick up any attempts to use this vulnerability since phpnuke blocks are required to have been called from index.php which in itself requires mainfile.php which ultimately calls NukeSentinel security procs and the such? Or am I mistaken?
![[Valid RSS]](http://ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
