by r0t,der4444,cembo,VietMafia

Monday, November 28, 2005

Top Music module for PHP Nuke SQL inj. vuln

Top Music module for PHP Nuke SQL inj. vuln
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.sergids.com/
affected version:3.0 PR3 and prior

Product Description:
This is a module for PHPNuke that allows you to build an interactive music portal without technical knowledgement. Artists, bands, lyrics, songs, audio tracks... Features: :: A-Z list of Bands :: Bands information (Name, genre, biography...) :: Bands'Albums list :: Album information (Title, year, band...) :: Album's Songs list :: Song information (Title, album, number...) :: Listen sample songs :: Bands, Albums and Songs searching :: Tops listing :: Multilanguage :: Easy installation and configuration :: Themes Latest version: 3.0PR3 Stable version: 3.0PR2 CVS version: 3.0PR3 Now there is version 3.0 under developement with a new module called Top Music Submitter which will allow users submitions. Version 3.0 Pre-Release 3 is an adaptation for Top Music Submitter currently under developement. In addition, we have included some features that will be available in version 3.0 final


Vuln. description:
Input passed to the "idartist" and "idsong" and "idalbum" parameters isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

/modules.php?name=topMusic&op=
artist&idartist=[SQL]

/modules.php?name=topMusic&op=song&
idartist=1&idalbum=1&idsong=[SQL]

/modules.php?name=topMusic&op=song&
idartist=1&idalbum=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

3 Comments:

Anonymous Anonymous told...

I'm the Top Music module owner and I protect the module ensuring that url ids are integers.

SQL injection can't be made

8:37 PM

 
Anonymous sergids told...

I'm Top Music developer and I protected this module from sql injection in previous versions.

This vulnerability is not real.

9:04 PM

 
Anonymous Blog Submission Software told...

Want top search engine ranking? try my software Free Blog Submission Software check it out.

2:25 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew