SECUNIA ADVISORY ID: SA24949

VERIFY ADVISORY: http://secunia.com/advisories/24949/

CRITICAL: Moderately critical

IMPACT: Security Bypass, Manipulation of data, Exposure of sensitive information

WHERE: >From remote

SOFTWARE: PHP-Nuke 7.x - http://secunia.com/product/2385/

DESCRIPTION: Aleksandar has discovered some vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks and to bypass certain security restrictions.

1) The product's SQL injection filter checks for the string "/*" but not for the URL-encoded version "%2f%2a". This can be exploited to bypass the SQL injection filter.

2) Input passed to the "lid" parameter through modules.php to modules/Web_Links/index.php (when "l_op" is set to "viewlinkcomments", "viewlinkeditorial", or "ratelink") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieving administrator password hashes, but requires that "magic_quotes_gpc" is disabled, and that the attacker has knowledge of the database table prefix.

3) Input passed to the "lid" parameter through modules.php to modules/Downloads/index.php (when "d_op" is set to "viewdownloadeditorial", "viewdownloadcomments", or to "ratedownload") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieving administrator password hashes, but requires that "magic_quotes_gpc" is disabled, and that the attacker has knowledge of the database table prefix.

The vulnerabilities are confirmed in version 7.9. Other versions may also be affected.

SOLUTION: Edit the source code to ensure that input is properly sanitised and that the SQL injection filter checks for both normal and URL-encoded versions of dangerous strings.

Set "magic_quotes_gpc" in php.ini to On.

Use another product.

PROVIDED AND/OR DISCOVERED BY:AleksandarNote:
Please note that RavenNuke(tm) is not affected by this exploit. We also could not recreate it if your site is protected by NukeSentinel(tm)