You are missing our premiere tool bar navigation system! Register and use it for FREE!


Author: VinDSLLocation: Arizona (USA) Site Admin: Lenon.com Admin: Disipal DesignsPostPosted: Fri Jun 04, 2004 4:35 pm    Post subject: Re: This new security hole...

This is NOT a Nuke security vulnerability IMHO. It's a server administration issue...

In order to use this attack, hackers would need admin privileges on the server in question, in order to create a symlink pointing to someone elses' sql db, no? Not only that, but they would need an account on (or access to another client's account on) the same server as you, in order to mount the attack in the first place.

There might be a web host out there stupid enough to give server admin privileges to clients on a shared server, and allow them to access data on other clients' db's, but I doubt it. If so, they wouldn't be in business long.

My fix would consist of changing web hosts... Wink

Author: Chinese_PowerPostPosted: Fri Jun 04, 2004 5:39 pm    Post subject:

Interesting... But have someone tested this yet ? It dont work for me

Author: VinDSLLocation: Arizona (USA) Site Admin: Lenon.com Admin: Disipal DesignsPostPosted: Fri Jun 04, 2004 5:55 pm    Post subject:

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 

Author: foxyfemfemLocation: USAPostPosted: Fri Jun 04, 2004 3:05 pm    Post subject:

Um, very interesting and I notice the date on that post is May (almost 2 months of age). Okay, can we get a "security" coder to verify if there's a fix for that, has the fix been produced and where the heck can I get the fix? Laughing

Author: alexmPostPosted: Fri Jun 04, 2004 3:45 pm    Post subject: Re: This new security hole...

Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 192 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - This new security hole... This new security hole...
Goto page 1, 2, 3, 4  Next  :| |:
Nuke Cops -> Nuke Security

Author: MechaDragon PostPosted: Fri Jun 04, 2004 1:27 pm    Post subject: This new security hole...

Does protector or anything work with it?

http://www.securityfocus.com/archive/1/364725/2004-05-30/2004-06-05/0

Is the fix listed the best one to use?
MechaDragon wrote:

Is the fix listed the best one to use?


I'm not an expert on this subject, but the best fix is to make sure that safe_mode is "On" in your PHP. This will disable other users' ability to include() your files.

It's my opinion that if you are on a shared host with safe_mode Off, you have bigger problems than this little script.

I could be wrong. And there's no harm in adding the proposed "fix." Smile
Chinese_Power wrote:
Interesting... But have someone tested this yet ? It dont work for me

Are you talking about the quick 'n' dirty patch they suggested, or switching hosts? Laughing

Author: judasLocation: dev/hda1 PostPosted: Fri Jun 04, 2004 6:34 pm    Post subject: Re: This new security hole...

Imm..This is NOT A BUG ON NUKE.
but if you like the "propossed patch."..I think this will be better
Code:
$domain = $_SERVER['SERVER_NAME'];
$ipserv = gethostbyname($domain);
if ($ipserv != "your_server_ip_address_here") {
echo "Access denied";
die();
}

note:Im trying to reproduce this "bugs" and on my server I get 403 errors and other stuff..no real "proof of concept" results.

Author: MechaDragon PostPosted: Fri Jun 04, 2004 7:00 pm    Post subject:

foxyfemfem wrote:
Um, very interesting and I notice the date on that post is May (almost 2 months of age). Okay, can we get a "security" coder to verify if there's a fix for that, has the fix been produced and where the heck can I get the fix? Laughing


Two months? May 30 was less then a week ago... am I missing something or not understanding right...

Author: MechaDragon PostPosted: Fri Jun 04, 2004 7:03 pm    Post subject: Re: This new security hole...

VinDSL wrote:
This is NOT a Nuke security vulnerability IMHO. It's a server administration issue...


Thanks, Didn't quite understand the whole process so I didn't know it had to be on the same server but thanks for the explination!!

Author: clam729 PostPosted: Fri Jun 04, 2004 11:15 pm    Post subject: Re: This new security hole...

search for one of my earlier posts about script hijacking, the same goes for this. everyone should add code to their sites to ensure that the scripts are being run from their server.

there are many ways to do this simple check, as i said, one of my earlier posts has some example code in it.

Author: DunderklumpenLocation: Sweden PostPosted: Sat Jun 05, 2004 12:14 am    Post subject: Re: This new security hole...

judas wrote:
Imm..This is NOT A BUG ON NUKE.
but if you like the "propossed patch."..I think this will be better
Code:
$domain = $_SERVER['SERVER_NAME'];
$ipserv = gethostbyname($domain);
if ($ipserv != "your_server_ip_address_here") {
echo "Access denied";
die();
}

note:Im trying to reproduce this "bugs" and on my server I get 403 errors and other stuff..no real "proof of concept" results.


Thanks for the suggested patch - now where should I put this in config.php?

Author: kingpin03 PostPosted: Sat Jun 05, 2004 2:00 am    Post subject:

Dunderklumpen wrote:
judas wrote:
Imm..This is NOT A BUG ON NUKE.
but if you like the "propossed patch."..I think this will be better
Code:
$domain = $_SERVER['SERVER_NAME'];
$ipserv = gethostbyname($domain);
if ($ipserv != "your_server_ip_address_here") {
echo "Access denied";
die();
}

note:Im trying to reproduce this "bugs" and on my server I get 403 errors and other stuff..no real "proof of concept" results.


Thanks for the suggested patch - now where should I put this in config.php?
Try header.php instead. Wink

Author: DunderklumpenLocation: Sweden PostPosted: Sat Jun 05, 2004 2:48 am    Post subject: Re: This new security hole...

Ok, thanks - will do.

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 2:54 am    Post subject:

@MechaDragon
Laughing You are correct. I was thinking this month was july not june (way ahead of myself).

I tried that exploit on my website and all I received was the 403 error page, therefore I'm with VinDSL on this one, if the exploit succeed via another, I'm changing my webhost.

@judas
Thanks for the patch, it's always better to be safe than sorry. I'm adding the patch to mainfile.php

This part $_SERVER['SERVER_NAME']; should SERVER_NAME be as is or am I suppose to add the name of the server I'm on?

Author: VinDSLLocation: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs PostPosted: Sat Jun 05, 2004 4:45 am    Post subject: Re: This new security hole...

clam729 wrote:
...everyone should add code to their sites to ensure that the scripts are being run from their server...

Keep in mind that this attack IS run from your server, via a symlink in another client's account, or so the theory goes.

I don't think there is ANY patch that would work for such a situation, given the type of authentication Nuke uses. Once again, this is a server administration issue. Wink



Nuke Cops -> Nuke Security

All times are GMT - 8 Hours

Goto page 1, 2, 3, 4  Next  :| |:
Page 1 of 4

Powered by phpBB © 2001,2002 phpBB Group
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.104 Seconds - 159 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
added by Evaders - DO NOT REMOVE
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::