SQL injection vulnerabilities in PHP-Nuke
Three flaws have been discovered by Aleksandar, an anonymous security researcher, in various versions of the widely used open source content management system PHP-Nuke. The first affects the product's SQL injection filter, and results from the filter's failure to check for the string "%2f%2a", the URL encoded version of "/*". Users are advised to edit the source code to correct this flaw, and specimen code is given in the advisory.
The second vulnerability is a failure to sanitise input passed to the "lid" parameter of modules/Web_Links/index.php through modules.php when "l_op" is set to "viewlinkcomments", "viewlinkeditorial" or "ratelink". It can be exploited to inject arbitrary SQL code, but requires that magic_quotes_gpc is disabled and that the attacker has knowledge of the database table prefix.
The third vulnerability is also a failure to sanitise input passed to the "lid" parameter, but involves modules/Downloads/index.php when "d_op" is set to "viewdownloadededitorial", "viewdownloadedcomments" or "ratedownloaded". It also requires that magic_quotes_gpc is disabled and knowledge of the database table prefix.
It is not clear whether these two vulnerabilities are independent but identical or whether they both result from use of a common module, but both can be protected against by setting magic_quotes_gpc to ON in php.ini, which causes all GET, POST and COOKIE parameters to be automatically quoted.
Although the original report by Aleksandar quotes version 8.x, according to a report by Secunia the vulnerabilities have been confirmed in version 7.9 and other versions are suspect. The true extent of the problem is therefore currently not clear.
- PHP Nuke 220.127.116.11.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities, advisory by Aleksandar
- PHP-Nuke SQL Filter Bypass and SQL Injection Vulnerabilities, Secunia Advisory