[waraxe-2007-SA#056] - Another Sql Injection in NukeSentinel 2.5.11 ==================================================================== Author: Janek Vind "waraxe" Date: 27. September 2007 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-56.html Target software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Developer: http://www.nukescripts.net NukeSentinel is anti-hacking sofware, used for protection phpnuke against various security-related attacks. Vulnerabilities: Critical Sql Injection in "nukesentinel.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Let's look at script "includes/nukesentinel.php" source code: ------------>[source code]<------------ function is_god($axadmin) { global $db, $prefix, $aname; $tmpadm = base64_decode($axadmin); $tmpadm = explode(":", $tmpadm); $aname = $tmpadm[0]; $apwd = $tmpadm[1]; if(!empty($aname) AND !empty($apwd)) { $aname = trim($aname); $apwd = trim($apwd); $admrow = $db->sql_fetchrow($db->sql_query("SELECT * FROM `".$prefix."_authors` WHERE `aid`='$aname'")); ------------>[/source code]<----------- So as seen in code snippet above, data from "base64_decode()" function is used in sql query without any sanityze. Now is the question, which part of the code uses this function. Here is the answer: ------------>[source code]<------------ // AUTHOR Protection $blocker_row = $blocker_array[5]; if($blocker_row['activate'] > 0) { if(isset($op) AND ($op=="mod_authors" OR $op=="modifyadmin" OR $op=="UpdateAuthor" OR $op=="AddAuthor" OR $op=="deladmin2" OR $op=="deladmin" OR $op=="assignstories" OR $op=="deladminconf") AND !is_god($_COOKIE['admin'])) { block_ip($blocker_row); } } } ------------>[/source code]<----------- It's easy to see, that $_COOKIE['admin'] variable will be used as argument for "is_god()" function. And we have another critical sql injetion in place. I have written proof-of-concept blind injection exploit for this specific case and it's working flawlessly. Happy news to potential victims - developer has allready patched this security hole in NukeSentinel with releasing new version - 2.5.12 //-----> See ya soon and have a nice day ;) <-----// How to fix: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NukeSentinel's new version 2.5.12 is patched, so download it A.S.A.P. http://www.nukescripts.net/modules.php?name=Downloads&op=getit&lid=1063 Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb and anyone else who know me! Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale! Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Homepage: http://www.waraxe.us/ Shameless advertise: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Geology readings - http://geology.oldreadings.com/ Biography Database - http://www.biosaxe.com/ ---------------------------------- [ EOF ] ----------------------------