Author |
Message |
zanis
Lieutenant


Joined: Aug 21, 2003
Posts: 213
|
Posted:
Tue Apr 13, 2004 3:43 am |
  |
Hi all,
My ISP sent this in:
Full Article here ->http://secunia.com/advisories/11347/
Is it real and if so anyone got any ideas on how to fix it?
Cheers
Zanis
Description:
Janek Vind has reported some vulnerabilities in PHP-Nuke, allowing malicious people to conduct SQL injection and Cross Site Scripting attacks.
1) Input passed to the "user" parameter is base64 decoded before it is used in SQL queries. This allows malicious people to include characters, which normally would be filtered and thereby manipulate SQL queries. Examples have been posted, which can be exploited to bypass the authentication procedure and read private messages.
This can also be exploited to conduct Cross Site Scripting attacks if certain themes are used.
2) A vulnerability similar to #1 affects the "admin" parameter. An example has been posted, which can be exploited to perform certain administrative functions such as adding users.
The vulnerabilities have been reported in versions 6 through 7.2.
Solution:
Edit the source code to ensure that input is properly verified.
Use another product.
Provided and/or discovered by:
Janek Vind "waraxe" |
|
|
   |
 |
Raven
General


Joined: Mar 22, 2003
Posts: 5233
Location: USA
|
Posted:
Tue Apr 13, 2004 4:30 am |
  |
|
    |
 |
Jeruvy
Lieutenant


Joined: Jul 09, 2003
Posts: 293
|
Posted:
Tue Apr 13, 2004 6:51 am |
  |
I posted news today about this but I'll requote the relevent section:
Quote: |
:> Here it is, this little filtering code, in admin.php line 16: :>
:>
:> if (preg_match("/\?admin/", "$checkurl")) {
:>
:> echo "die";
:>
:> exit;
:>
:>
:>
:> This filter suxx, coz we can use urlencoding or POST or
:> COOKIE variable. But I suggest
The patch has changed this to:
if ((!(strpos("$checkmyurl", "?admin=") === FALSE)) ||
(!(strpos("$checkmyurl", "&admin=") === FALSE))) {
echo "die - email Jeruvy for details";
exit;
|
Details are found right here in this forum. |
_________________ J.
j e r u v y a t y a h o o d o t c o m |
|
    |
 |
zanis
Lieutenant


Joined: Aug 21, 2003
Posts: 213
|
Posted:
Tue Apr 13, 2004 10:10 pm |
  |
Raven wrote: |
Variations on the UNION theme exploit. If you have not already installed my SQL Injection Hack Alert script, I would advise doing so. It will catch those exploits  |
Hello!
Yes I have installed your awesome script! I was hoping that it would cover this new attack! Thanks again Raven for contributing it to the community!
Cheers
zanis
P.s does your code take into account Jeruvy's comments? |
|
|
   |
 |
Waldo
Nuke Soldier


Joined: Mar 16, 2004
Posts: 24
|
Posted:
Fri Apr 16, 2004 5:29 pm |
  |
|
   |
 |
zanis
Lieutenant


Joined: Aug 21, 2003
Posts: 213
|
Posted:
Fri Apr 16, 2004 5:38 pm |
  |
Try the URL in the message after you have installed Ravens script!
[url]http://localhost/nuke71/admin php?op=AddAuthor&add_aid=waraxe2&add_name=God&add_pwd=coolpass&add_email=foo bar com&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox[/url]
Note the spaces above - you need to remove them. |
|
|
   |
 |
MechaDragon
Nuke Soldier


Joined: Aug 12, 2003
Posts: 22
|
Posted:
Fri Apr 16, 2004 8:22 pm |
  |
I have raven's script installed and I don't get the ban message but also it doesn't add anything to my tables either. So I'm confused... (Yes I changed the URL and stuff but all I get it a white page that has nothing) |
|
|
   |
 |
chatserv
General


Joined: Jan 12, 2003
Posts: 3128
Location: Puerto Rico
|
Posted:
Fri Apr 16, 2004 8:36 pm |
  |
Add the following to admin.php right after the credits:
Code: |
if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) {
die("Illegal Operation");
} |
|
_________________ Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources |
|
    |
 |
Darby_2k4
Nuke Soldier


Joined: Apr 15, 2004
Posts: 32
|
Posted:
Tue Apr 20, 2004 4:06 am |
  |
|
   |
 |
|