 |
|
 |
|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 159 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Advisory: PHP-Nuke UNION SQL Injections |
|
 The Nuke Cops Beta 3 release of Union Tap has so far been tested by PHP-Nuke Admins with great success. This code patches all SQL Injections based on "UNION" that are delivered via a URL Query String. If you are running MySQL 4 or higher, this code is a must to protect your precious portal investment. It resides here and is about to go gold. Why does this patch matter so much from all the rest?
Using the magic of simple regular expressions (regex), it catches any instance of the word "Union" no matter its case-sensitive appeal in both plaintext and Base64. Union Tap is not just the first patch to catch Base64 Union Injection attempts, but its also the first in decoding raw URLs catching percentage code.
False positives are all but eliminated. Security is about adding the best layered protection possible, well if you must run Mysql 4, Union Tap provides that extra deep security that is needed.
Union Tap also takes another step beyond traditional security patches. It takes into account the possibility that your site uses REGISTER_GLOBALS. If your portal uses this PHP Setting, Union Tap protects you from possible variable injections.
This leaves us with a multi-faceted injection stopped patch: Union Tap.
Here is the code:
//Union Tap
//Copyright Zhen-Xjell 2004 http://nukecops.com
//Beta 3 Code to prevent UNION SQL Injections
unset($matches);
unset($loc);
if (preg_match("/([OdWo5NIbpuU4V2iJT0n]{5}) /", rawurldecode($loc=$_SERVER["QUERY_STRING"]), $matches)) {
die("YOU ARE SLAPPED BY <a href=\"http://nukecops.com\">NUKECOPS</a> BY USING '$matches[1]' INSIDE '$loc'.");
}
|
|
Posted on Tuesday, April 27 @ 14:01:24 CEST by Zhen-Xjell |
|
|
|
|
| |
|
Average Score: 2.43
Votes: 16
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Advisory: PHP-Nuke UNION SQL Injections (Score: 1)
by inkydink1234 on Tuesday, April 27 @ 16:07:57 CEST
(User Info | Send a Message) | Your arrogance in announcing your 'fixes' is disgraceful. This one tops them all, for sure. Especially in light of the fact that it doesn't "it catches any instance of the word "Union" no matter its case-sensitive appeal in both plaintext". I'll get to that in a minute. I have yet to find anywhere else on the Internet a site that offers support with a webmaster that draws attention to himself the way that you do. Regardless of what 'camp' someone is in, these self-exalting announcements are terrible. Chatserv pretty much keeps all nuke sites security clean with his fixes and patches. Never once have I ever seen any attempt to exalt himself. But you know what? Others respect him without self-exaltation. And because his fixes work without several iterations. There are many others who also do their service for the community and let their work speak for them.
Now, onto the proof. Your miracle fix does absolutely nothing to trap the U/**/NION exploit. I have tested all manner of iterations and it sails right past. And encoding it makes it even more fun :).
Do us a favor and just post your code like everyone else and let it stand on its merit. BTW, someone else's UNION patch works. That's how I discovered that yours doesn't. |
Re: Advisory: PHP-Nuke UNION SQL Injections (Score: 1)
by anthonyaykut on Tuesday, April 27 @ 16:14:14 CEST
(User Info | Send a Message) http://www.frame4.com/ | Ouch! Flame On!!
While I agree with some of the points made here, I am more curious as to:
(1) What patch works (link)?
(2) Is there a need for this, if Protector is installed?
Ideas? |
]
Re: Advisory: PHP-Nuke UNION SQL Injections (Score: 1)
by Adis on Wednesday, April 28 @ 00:11:47 CEST
(User Info | Send a Message) | Just wanna say, thank you ZX, and Raven and chatserv and Mister and.....all others who are helping us. I dont care if you put credits or not its your right and choice. Who doesnt liked that, doesnt have to use ZX or other ppls code.
inkydink1234, how about you make site like this and give us help, patches, fixes etc. I'll be glad to use your code. I dont care if you put credits or dont I'll be either way thankful for your help and support.
|
]
Re: Advisory: PHP-Nuke UNION SQL Injections (Score: 1)
by inkydink1234 on Wednesday, April 28 @ 06:22:24 CEST
(User Info | Send a Message) | We're not talking about credits. Credits are needed and are good! Credits state who contributed what. It's when you claim your product does 100% (quickly debunked) this is the only one this or that and make it look like a few lines of code have saved the world. And also, put it in context, like I said, with the other major contributors out there. They don't glrify themselves. Quit glorifying yourself. Let others write the reviews; not you. Only little men have to keep telling everyone how great they are.
And, btw zx, it still breaks when encoded. Which is probably ok because there is no known exploit for the base64 issue that you have attempted to fix. I'll leave it to you and your crack team to figure it out. |
]
| | | | | |
|
