[UNIX] Multiple Vulnerabilities in NukeBookmarks (Full path disclosure, Cross Site Scripting, SQL Injection)
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 30 Mar 2005 11:59:44 +0200
Subject: [UNIX] Multiple Vulnerabilities in NukeBookmarks (Full path disclosure, Cross Site Scripting, SQL Injection)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050330121610.800065746@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in NukeBookmarks (Full path disclosure, Cross
Site Scripting, SQL Injection)
------------------------------------------------------------------------
SUMMARY
" <http://nukebookmarks.sourceforge.net/>; Nuke Bookmarks is a module for
PHP-Nuke that allows users to store their own personal bookmarks on the
server, much like Yahoo Bookmarks."
Full path disclosure, Cross Site Scripting and SQL Injection
vulnerabilities discovered in NukeBookmarks, compromising th system.
DETAILS
Vulnerable Systems:
* NukeBookmarks Version .6
Immune Systems:
* NukeBookmarks Version .7
Full Path Disclosure Vulnerability:
It's possible to retrieve the full installation path of NukeBookmarks. In
marks.php, some database queries can be manipulated by the user. If the
resulting SQL query is illegal, the functions that runs that query will
return an SQL error, revealing full installation path.
Examples:
http://example.com/modules.php?name=Bookmarks&file=marks
http://example.com/modules.php?name=Bookmarks&file=marks&category=1\'
Cross Site Scripting Vulnerability:
Almost all of the input variables supplied by the user aren't checked and
filtered properly. It's possible to inject malicious javascript code into
the page and perform a cross site scripting attack.
Examples:
http://www.nukesite.com/modules.php?name=Bookmarks&file=del_cat&catname=[code]
http://www.nukesite.com/modules.php?name=Bookmarks&file=del_mark&markname=[code]
http://www.nukesite.com/modules.php?name=Bookmarks&file=edit_cat&catname=[code]
http://www.nukesite.com/modules.php?name=Bookmarks&file=edit_cat&catcomment=[code]
http://www.nukesite.com/modules.php?name=Bookmarks&file=marks&catname=[code]
http://www.nukesite.com/modules.php?name=Bookmarks&file=uploadbookmarks&category=[code]
SQL Injection:
It's possible to get any content and manipulate the database by exploiting
a SQL Injection vulnerability in marks.php
Example:
http://www.nukesite.com/modules.php?name=Bookmarks&file=marks&catname=1
&category=-1/**/union/**/select%200,aid,0,pwd,0,0%20from%20nuke_authors
This example will get the list of PHPNuke authors and the relative hashes
of the passwords.
ADDITIONAL INFORMATION
The information has been provided by <mailto:astharot@zone-h.org.> Gerardo
Astharot Di Giacomo.
The original article can be found at:
<http://zone-h.org/advisories/read/id=7356>;
http://zone-h.org/advisories/read/id=7356
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
