On 26 Mar 2005, Gerardo Astharot Di Giacomo wrote:
Product: NukeBookmarks .6
URL: http://nukebookmarks.sourceforge.net/
1) Full path disclosure
It's possible to retrieve the full installation URL of the website. In
"marks.php" file, there are some queries to the database. If some parameters
miss or some strange characters are submitted, the functions that get results
from the database will return an error.
I can understand how full path disclosure can be an issue, however, in a
production environment the PHP settings to display errors ought to be
disabled. As such, full path disclosure goes away.
3) SQL Injection
It's possible to get any content from the database by exploiting a SQL
Injection vulnerability in "marks.php" file.
This example will get the list of PHPNuke authors and the relative hashes of
the passwords.
That is true if the default table names are used. However it would be
worth noting that with any web presence that uses a backend database, the
prefix ought to be changed to something random and non-default.
Does this completely solve the issue, of course not, but it can stop the
script kiddy attacks. For more on this:
http://unixwiz.net/techtips/sql-injection.html
Thanks for the disclosure.
--
Sincerely,
Paul Laudanski .. Computer Cops, LLC.
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html
http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
