Another Security hole? 13 April 2004?

Lieutenant Joined: Aug 21, 2003 Posts: 213

Hi all,

My ISP sent this in:

Full Article here ->http://secunia.com/advisories/11347/

Is it real and if so anyone got any ideas on how to fix it?

Cheers

Zanis

Description:
Janek Vind has reported some vulnerabilities in PHP-Nuke, allowing malicious people to conduct SQL injection and Cross Site Scripting attacks.

1) Input passed to the "user" parameter is base64 decoded before it is used in SQL queries. This allows malicious people to include characters, which normally would be filtered and thereby manipulate SQL queries. Examples have been posted, which can be exploited to bypass the authentication procedure and read private messages.

This can also be exploited to conduct Cross Site Scripting attacks if certain themes are used.

2) A vulnerability similar to #1 affects the "admin" parameter. An example has been posted, which can be exploited to perform certain administrative functions such as adding users.

The vulnerabilities have been reported in versions 6 through 7.2.

Solution:
Edit the source code to ensure that input is properly verified.

Use another product.

Provided and/or discovered by:
Janek Vind "waraxe"

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

Variations on the UNION theme exploit. If you have not already installed my SQL Injection Hack Alert script, I would advise doing so. It will catch those exploits Wink

Lieutenant Joined: Jul 09, 2003 Posts: 293

I posted news today about this but I'll requote the relevent section:

Quote:

:> Here it is, this little filtering code, in admin.php line 16: :>
:>
:> if (preg_match("/\?admin/", "$checkurl")) {
:>
:> echo "die";
:>
:> exit;
:>
:>
:>
:> This filter suxx, coz we can use urlencoding or POST or
:> COOKIE variable. But I suggest

The patch has changed this to:

if ((!(strpos("$checkmyurl", "?admin=") === FALSE)) ||
(!(strpos("$checkmyurl", "&admin=") === FALSE))) {
echo "die - email Jeruvy for details";
exit;

Details are found right here in this forum.

Lieutenant Joined: Aug 21, 2003 Posts: 213

Raven wrote:

Variations on the UNION theme exploit. If you have not already installed my SQL Injection Hack Alert script, I would advise doing so. It will catch those exploits Wink

Hello!

Yes I have installed your awesome script! I was hoping that it would cover this new attack! Thanks again Raven for contributing it to the community!

Cheers

zanis

P.s does your code take into account Jeruvy's comments?

Nuke Soldier Joined: Mar 16, 2004 Posts: 24

What about a patch to authors.php -- if necessary...?

The full description of the bug is here:

http://www.securityfocus.com/archive/1/360136/2004-04-06/2004-04-12/0

Lieutenant Joined: Aug 21, 2003 Posts: 213

Waldo wrote:

What about a patch to authors.php -- if necessary...?

The full description of the bug is here:

http://www.securityfocus.com/archive/1/360136/2004-04-06/2004-04-12/0

Try the URL in the message after you have installed Ravens script!

[url]http://localhost/nuke71/admin php?op=AddAuthor&add_aid=waraxe2&add_name=God&add_pwd=coolpass&add_email=foo bar com&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox[/url]

Note the spaces above - you need to remove them.

Nuke Soldier Joined: Aug 12, 2003 Posts: 22

I have raven's script installed and I don't get the ban message but also it doesn't add anything to my tables either. So I'm confused... (Yes I changed the URL and stuff but all I get it a white page that has nothing)

Posted: Fri Apr 16, 2004 8:36 pm

Add the following to admin.php right after the credits:

Code:

if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) {
die("Illegal Operation");
}

Nuke Soldier Joined: Apr 15, 2004 Posts: 32

Thanks CS.