You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 191 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Minor security flaw in Fortress Beta 1.20? [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
This forum is locked: you cannot post, reply to, or edit topics.  This topic is locked: you cannot edit posts or make replies.printer-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
virtuaopolis
Corporal
Corporal


Joined: Oct 07, 2003
Posts: 64


PostPosted: Mon May 24, 2004 6:15 pm Reply with quoteBack to top

I have been recently fending off sql injection attacks of all different types. Fortress seems to be a very great lil add on for any site. I have been testing different injection exploits on my site and I found a hole in the Fortress add on. If a admin has access to the Authors, they have the ability to inject a query that adds a god admin with SU privs to the site admins.

I dont want to post the expoilt as I do not want it to be used against sites; but if Zhen-Xjell would like to contact me to see an example of the hole, I would gladly demonstrate the exploit so it can be hopefully plugged in future releases?
Find all posts by virtuaopolisView user's profileSend private message
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Mon May 24, 2004 7:03 pm Reply with quoteBack to top

Fortress(tm) does not protect against the injection you speak of. It protects against c-like comments, union, and bad html tags. What you speak of is a valid URL. I have released Admin Tap ver 3 that handles precisely what you are talking about.

That will be integrated into Fortress(tm) in the near future however.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
bretonmage
Captain
Captain


Joined: Feb 21, 2004
Posts: 421


PostPosted: Mon May 24, 2004 10:20 pm Reply with quoteBack to top

Just so you know, Admin Tap conflicts with NSN Groups. It comes up with the "Nuke Cops slaps you silly" thing when accessing it from the admin menu.

_________________
Image
Find all posts by bretonmageView user's profileSend private message
virtuaopolis
Corporal
Corporal


Joined: Oct 07, 2003
Posts: 64


PostPosted: Mon May 24, 2004 10:23 pm Reply with quoteBack to top

NSN Groups? Is that the groups intergration in the phpNuke distro 7.2 fromphpNuke.org and where can I get the admin tap?
Find all posts by virtuaopolisView user's profileSend private message
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Tue May 25, 2004 6:21 am Reply with quoteBack to top

You have to make some adjustments to NSN groups, in the edit users group admin modules php file. Look for all the "Header" calls and comment them out, at that point all is well with Admin Tap.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
ben2
Nuke Cadet
Nuke Cadet


Joined: Feb 20, 2003
Posts: 4


PostPosted: Tue May 25, 2004 8:10 am Reply with quoteBack to top

I installed FORTRESS and everything works fine so far.
But why do you ban someone for:
......sid=-1%20ONION%20......
and
......sid=-1%20NOINU%20......
and so on... (there are a lot of 5 letter words u can build with these letters [OdWo5NIbpuU4V2iJT0n] )

But you dont ban someone for:
......sid=-1%20UNION%09......

Replacing a blank (%20) with a tab (%09) is not such a big deal and mysql doesn't care of the difference.

ben
Find all posts by ben2View user's profileSend private message
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Tue May 25, 2004 8:48 am Reply with quoteBack to top

That's why its beta software Ben... responses like yours help to make it tighter.

And think about it... how many valid URLs are going to contain:

"NOINU" and other non-sensical words anyway?

In my book, I'd rather be overly cautious than let things actually slip by.

I periodically check my htm file and scan for any false captures, and if any are caught, I remove them from the CSV file. Depending on what the false capture is, it might help to tighten up the code.

However to discuss the problem of:

%09

Lets dissect it. You are trying to use the ampersand command for horizontal tab, it doesn't work in the URI. You would need to use the HEX encoded value for horizontal tab, but that turns out to be a control character and not an actual printable character.

A space, the %20, is a printable character that is allowed within URIs.

The %09, a control character for horizontal tabs is not.

Now I've quickly read the RFC on this:

http://www.faqs.org/rfcs/rfc1738.html

What do you think of this? Is this on target? I'll have to do some more research, but I don't believe the control character for the horizontal tab can be passed via a URL.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
publicx2001
Premium
Premium


Joined: Feb 11, 2003
Posts: 172

Location: USA

PostPosted: Tue May 25, 2004 10:23 am Reply with quoteBack to top

Zhen-Xjell wrote:
Fortress(tm) does not protect against the injection you speak of. It protects against c-like comments, union, and bad html tags. What you speak of is a valid URL. I have released Admin Tap ver 3 that handles precisely what you are talking about.

That will be integrated into Fortress(tm) in the near future however.


Do i need to worry about this if i am the only admin on my site?
If i need to install admin tap, where do i get it? ive looked and cant find the download.
thanks
Find all posts by publicx2001View user's profileSend private messageAIM Address
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Tue May 25, 2004 10:39 am Reply with quoteBack to top

Yes you need to grab Admin Tap Ver 3. Its available from the front page news articles.

As to the Horizontal Tab exploit issue, I did some more research and sure enough it can be encoded and passed just as stated.

I've just updated my local copy of Fortress(tm) and it catches the use of either spaces or horizontal tabs.

Which brings up the question of CRLF.

The %09 will be included in the next release.

Thanks for the heads up.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
mitch100degrees
Sergeant
Sergeant


Joined: Feb 01, 2004
Posts: 98

Location: USA, Michigan

PostPosted: Tue May 25, 2004 10:45 am Reply with quoteBack to top

Hello,

I Just wanna make sure i am correct here, Is this link all of Admin Tap?

http://nukecops.com/article-1997-nested-0-0.html Found it by doing a quick 'Search' Through the Stories Archive Wink

Mitch
Find all posts by mitch100degreesView user's profileSend private messageAIM AddressYahoo MessengerMSN Messenger
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Tue May 25, 2004 10:49 am Reply with quoteBack to top

Yes but part of it is missing a backslash, and I believe this is that:

if (preg_match("/\?admin/", "$checkurl")) {
echo "die";
exit;
}

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
mitch100degrees
Sergeant
Sergeant


Joined: Feb 01, 2004
Posts: 98

Location: USA, Michigan

PostPosted: Tue May 25, 2004 10:53 am Reply with quoteBack to top

Alrighty Thank you very much Very Happy

Mitch
Find all posts by mitch100degreesView user's profileSend private messageAIM AddressYahoo MessengerMSN Messenger
xfsunolesphp
Lieutenant
Lieutenant


Joined: Apr 05, 2003
Posts: 208

Location: Melbourne, FL

PostPosted: Tue May 25, 2004 2:35 pm Reply with quoteBack to top

ZX

it should be
Code:

if ((preg_match("/\?admin/", "$checkurl")) || (preg_match("/\&admin/", "$checkurl"))) {
echo "die";
exit;
}
that stop blind coding in admin side.
Find all posts by xfsunolesphpView user's profileSend private messageVisit poster's websiteAIM AddressYahoo Messenger
ben2
Nuke Cadet
Nuke Cadet


Joined: Feb 20, 2003
Posts: 4


PostPosted: Wed May 26, 2004 12:25 am Reply with quoteBack to top

Quote:
In my book, I'd rather be overly cautious than let things actually slip by.

OK, but I would like to suggest to set a standard background color for the html table for non union/c-like cases. My "ONION" attack looks a little dark with the darkblue background. Wink

Quote:
The %09 will be included in the next release.
Thanks for the heads up.

you're welcome

Quote:
Which brings up the question of CRLF

Yes I also thought about it and also a single LF could do the trick. But i never tried to pass it thru a URL.

ben
Find all posts by ben2View user's profileSend private message
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Wed May 26, 2004 6:21 am Reply with quoteBack to top

@xfsunolesphp: actually I'm not sure why the second component would be needed?

@ben2: Its not supposed to be dark blue, I have noticed that just once on CCSP -- if you check the color background might not be set and its a bug.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
Display posts from previous:      
This forum is locked: you cannot post, reply to, or edit topics.  This topic is locked: you cannot edit posts or make replies.printer-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.108 Seconds - 264 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::