SQL injection vulnerabilities in PHP-Nuke

Three flaws have been discovered by Aleksandar, an anonymous security researcher, in various versions of the widely used open source content management system PHP-Nuke. The first affects the product's SQL injection filter, and results from the filter's failure to check for the string "%2f%2a", the URL encoded version of "/*". Users are advised to edit the source code to correct this flaw, and specimen code is given in the advisory.

The second vulnerability is a failure to sanitise input passed to the "lid" parameter of modules/Web_Links/index.php through modules.php when "l_op" is set to "viewlinkcomments", "viewlinkeditorial" or "ratelink". It can be exploited to inject arbitrary SQL code, but requires that magic_quotes_gpc is disabled and that the attacker has knowledge of the database table prefix.

The third vulnerability is also a failure to sanitise input passed to the "lid" parameter, but involves modules/Downloads/index.php when "d_op" is set to "viewdownloadededitorial", "viewdownloadedcomments" or "ratedownloaded". It also requires that magic_quotes_gpc is disabled and knowledge of the database table prefix.

It is not clear whether these two vulnerabilities are independent but identical or whether they both result from use of a common module, but both can be protected against by setting magic_quotes_gpc to ON in php.ini, which causes all GET, POST and COOKIE parameters to be automatically quoted.

Although the original report by Aleksandar quotes version 8.x, according to a report by Secunia the vulnerabilities have been confirmed in version 7.9 and other versions are suspect. The true extent of the problem is therefore currently not clear.

See also:

• PHP Nuke 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities, advisory by Aleksandar
• PHP-Nuke SQL Filter Bypass and SQL Injection Vulnerabilities, Secunia Advisory

(mba)