NukeCops - Security Alert

You are missing our premiere tool bar navigation system! Register and use it for FREE!

Create an account

• Home • Downloads • Gallery • Your Account • Forums •

Readme First

- Readme First! -
Read and follow the rules, otherwise your posts will be closed

Modules

· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account

Who's Online

There are currently, 331 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here

Security Alert

Security Alert 7/20/2003!
[Note:Copied from Message post to keep in archives]

I've been helping a user today. He couldn't login as Admin and upon investigation it just looked like a case of a forgotten password. Once I got him up and running, he said he knew he had never entered that author name in the God record. He inspected the nuke.sql file from his v6.8 distro and the INSERT statement to nuke_authors came preinstalled (thank you very much ) with a user 'aaa' and a password that of course was MD5'd! He said he got the v6.8 from a link on nukephp.org.

I won't bother preaching about using versions that aren't public and aren't from reliable sources. Be warned, however, to make sure you know your sources!

Read this post for more on this.

Posted on Sunday, July 27 @ 12:17:49 CEST by [RETIRED]Raven

Most read story about Security:
PHP-Nuke admin.php security hole - PATCHED

Article Rating

Average Score: 1
Votes: 2

Options

Printer Friendly Page

Send to a Friend

The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: Security Alert (Score: 1)
by stmpeters on Sunday, July 27 @ 14:14:36 CEST
(User Info | Send a Message)

Unfortunately, no new versions of PHP-Nuke have been released to the public since 6.5. If they were released to the public, then there would not be any problems similar to this one.

Re: Security Alert (Score: 1)
by Zhen-Xjell on Sunday, July 27 @ 17:13:03 CEST
(User Info | Send a Message) http://castlecops.com

No that's not a valid statement. The files have been released to the public. Its just that Francisco is trying to make a living like everyone else during these times of economic meltdown. So he has chosen to have dot releases available for distribution via a club membership.

]

Re: Security Alert (Score: 1)
by stmpeters on Sunday, July 27 @ 22:56:55 CEST
(User Info | Send a Message)

Unless I'm mistaken, released to the club is not the same as released to the public. I have no problem with the fact the Fransisco needs to make a living. That is his choice and its perfectly within his rights to do this. Then, he needs to clarify that in the advertising for the Club. Unfortunately, since this code is released under the GPL, it is freely redistributable. Fransisco needs to at least publish an MD5 hash or something to let users verify whether the package they've received is valid or not. Otherwise, users will begin to lose trust and use something else.

]

Re: Security Alert (Score: 1)
by Azmeen on Monday, July 28 @ 21:32:35 CEST
(User Info | Send a Message)

If someone is idiotic enough to not give a quick check on something as simple as an SQL file, then that person deserved to have his/her web site backdoored.

Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.026 Seconds - 581 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)

:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::