CastleCops® - PHPNuke SQL Injection

Anonymous writes "
PHPnuke, a widely used open-source web portal system, has been found to contain a remotely exploitable SQL injection bug, which allows stealing of the administrator's password hash. With the hash, an attacker may login and gain complete control of the administrative side of the system.

The bug exists in the search engine included with PHPnuke (/modules/search/index.php). In this file, a database call is made without placing quotes around a user supplied variable. Since the database call selects information from the user table, a hacker can use a 'select fish' attack. In this type of attack, the hacker can determine the value of a single character in any given column in the table specified in the statement. The column of most importance to a hacker would be the one holding the administrators encrypted password. Since the passwords in PHPnuke (and many other programs) are an md5 hash, there are only 16 possible values for each character and 32 total characters to expect. Select fishing involves utilizing the MySQL mid() function to return true if the character is guessed correctly, thereby returning a set of results to the screen. If the results show up on the screen, the attacker can determine that the character is guessed correctly, and then proceed to guess the next character in the sequence. Any md5 password hash can be fished in less than 512 (32*16) guesses. When done by hand, this can take anywhere from 20-30 minutes, but when the process is automated with a program it can take only a few minutes. One such program is included at the end of this document.

http://www.xatrix.org/a2703-Secure_Passwords_in_Windows_2000_and_XP.html "


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 141ppm 0.217s (0.01s) Making cybercriminals unhappy since 2002*