Secunia

Some vulnerabilities and a security issue have been reported in Mini-NUKE, which can be exploited by malicious people to bypass certain security restrictions and conduct SQL injection attacks.

1) Some input isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Examples:
http://[victim]/news.asp?Action=Print&hid=[code]
http://[victim]/pages.asp?id=[code]
http://[victim]/members.asp?action=member_details&uid=[code]
http://[victim]/articles.asp?action=articles&catid=[code]
http://[victim]/hpages.asp?id=[code]
http://[victim]/programs.asp?action=programs&catid=[code]
http://[victim]/forum.asp?action=Topics&id=[code]

2) The problem is that it is possible to change the password for arbitrary users via the "membership.asp" script without being authenticated.

Example:
http://[victim]/membership.asp?action=lostpassnew

The vulnerabilities and the security issue have been reported in version 1.8.2 and prior. Other versions may also be affected.

Solution
Edit the source code to ensure that input is properly sanitised and that users cannot alter other users' passwords.

Provided and/or discovered by
Mustafa Can Bjorn, IPEKCI

1) Additional examples provided by Moroccan SecurityTeam.

Changelog
Further details available in Customer Area

Original Advisory
http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0437.html
http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0439.html
http://www.nukedx.com/?viewdoc=7
http://www.nukedx.com/?viewdoc=8
http://www.nukedx.com/?viewdoc=9

Deep Links
Links available in Customer Area