You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 56 guest(s) and 1 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
php-nuke sql injection vulnerabilities in News Module!up to 7.9
Securitydoctornuke writes "Paisterist has discovered two vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks....(from http://secunia.com/advisories/23128/)I am not sure the sentinel will be protective or not...doctornuke"

Evaders99's note:: This was already reported to chatserv and corrected in the latest Patched files. Please get the new modules/News/index.php file

Input passed to the "sid" parameter in modules/News/index.php from modules.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows retrieval of administrator usernames and password hashes, but requires that "magic_quotes_gpc" is disabled and that the attacker knows the prefix for the database tables.

The vulnerabilities are confirmed in version 7.9. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Set "magic_quotes_gpc" in php.ini to On.

Use another product."
Posted on Wednesday, November 29 @ 12:43:42 CET by VinDSL
 
Related Links
· Computer Cops
· More about Security
· News by VinDSL
Most read story about Security:
PHP-Nuke admin.php security hole - PATCHED
Article Rating
Average Score: 0
Votes: 0

Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad
Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: php-nuke sql injection vulnerabilities in News Module!up to 7.9 (Score: 1)
by the on Thursday, July 24 @ 15:17:41 CEST
(User Info | Send a Message)
عقارات السعودية [www.ekaar.net] عقارات شقق ومحلات واراضي ومكاتب بيع وشراء وايجار في بلد السعودية بجميع المدن بها عقار نت عقارات الأمارات [www.ekaar.net] عقارات شقق ومحلات واراضي ومكاتب بيع وشراء وايجار في بلد الأمارات بجميع المدن بها عقار نت عقارات مصر [ekaar.net] عقارات شقق ومحلات واراضي ومكاتب بيع وشراء وايجار في بلد مصر بجميع المدن بها عقار نت عقارات الكويت [ekaar.net] عقارات شقق ومحلات واراضي ومكاتب بيع وشراء وايجار في بلد الكويت بجميع المدن بها عقار نت عقارت عمان [www.ekaar.net] عقارات شقق ومحلات واراضي ومكاتب بيع وشراء وايجار في بلد عمان بجميع المدن بها عقار نت عقارات قطر [www.ekaar.net] عقارات شقق ومحلات واراضي ومكاتب بيع وشراء وايجار في بلد قطر بجميع المدن بها عقار نت عقارات ال

Read the rest of this comment...

Re: php-nuke sql injection vulnerabilities in News Module!up to 7.9 (Score: 1)
by paramegsoft on Saturday, July 05 @ 22:15:08 CEST
(User Info | Send a Message)
توبيكات [vb.paramegsoft.com]
صور للماسنجر [vb.paramegsoft.com]
العاب تلبيس [game.paramegsoft.com]
عالم حواء [ladies.paramegsoft.com]
مصارعة حرة [vb.paramegsoft.com]
العاب بنات
برامج [download.paramegsoft.com]
اناشيد [vb.paramegsoft.com]
تحميل العاب [vb.paramegsoft.com]
يوتيوب [vb.paramegsoft.com]
مسجات [vb.paramegsoft.com]
العاب
العاب طبخ [game.paramegsoft.com]
العاب بنات [game.paramegsoft.com]
العاب ميك اب [game.paramegsoft.com]
العاب باربي
نغمات [vb.paramegsoft.com]
ثيمات [vb.paramegsoft.com]
القاهرة اليوم [vb.paramegsoft.com]
عمرو اديب [vb.paramegsoft.com]
صور سيارات [vb.paramegsoft.com]
نكت [vb.paramegsoft.com]
برامج حماية وانتى فايروس [download.paramegsoft.com]
افلام اجنبية [vb.paramegsoft.com]
Powered by · TOGETHER TEAM srl ITALY http://www.togetherteam.it · DONDELEO E-COMMERCE http://www.DonDeLeo.com
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.210 Seconds - 455 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::