You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 157 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Another Security hole? 13 April 2004? [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
zanis
Lieutenant
Lieutenant


Joined: Aug 21, 2003
Posts: 213


PostPosted: Tue Apr 13, 2004 3:43 am Reply with quoteBack to top

Hi all,

My ISP sent this in:

Full Article here ->http://secunia.com/advisories/11347/

Is it real and if so anyone got any ideas on how to fix it?

Cheers

Zanis

Description:
Janek Vind has reported some vulnerabilities in PHP-Nuke, allowing malicious people to conduct SQL injection and Cross Site Scripting attacks.

1) Input passed to the "user" parameter is base64 decoded before it is used in SQL queries. This allows malicious people to include characters, which normally would be filtered and thereby manipulate SQL queries. Examples have been posted, which can be exploited to bypass the authentication procedure and read private messages.

This can also be exploited to conduct Cross Site Scripting attacks if certain themes are used.

2) A vulnerability similar to #1 affects the "admin" parameter. An example has been posted, which can be exploited to perform certain administrative functions such as adding users.

The vulnerabilities have been reported in versions 6 through 7.2.

Solution:
Edit the source code to ensure that input is properly verified.

Use another product.

Provided and/or discovered by:
Janek Vind "waraxe"
Find all posts by zanisView user's profileSend private message
Raven
General
General


Joined: Mar 22, 2003
Posts: 5233

Location: USA

PostPosted: Tue Apr 13, 2004 4:30 am Reply with quoteBack to top

Variations on the UNION theme exploit. If you have not already installed my SQL Injection Hack Alert script, I would advise doing so. It will catch those exploits Wink

_________________
Those who hear not the music think the dancers mad.
Raven Web Hosting|My Scripts & Stuff
Find all posts by RavenView user's profileSend private messageVisit poster's website
Jeruvy
Lieutenant
Lieutenant


Joined: Jul 09, 2003
Posts: 293


PostPosted: Tue Apr 13, 2004 6:51 am Reply with quoteBack to top

I posted news today about this but I'll requote the relevent section:

Quote:

:> Here it is, this little filtering code, in admin.php line 16: :>
:>
:> if (preg_match("/\?admin/", "$checkurl")) {
:>
:> echo "die";
:>
:> exit;
:>
:>
:>
:> This filter suxx, coz we can use urlencoding or POST or
:> COOKIE variable. But I suggest

The patch has changed this to:


if ((!(strpos("$checkmyurl", "?admin=") === FALSE)) ||
(!(strpos("$checkmyurl", "&admin=") === FALSE))) {
echo "die - email Jeruvy for details";
exit;



Details are found right here in this forum.

_________________
J.
j e r u v y a t y a h o o d o t c o m
Find all posts by JeruvyView user's profileSend private messageICQ Number
zanis
Lieutenant
Lieutenant


Joined: Aug 21, 2003
Posts: 213


PostPosted: Tue Apr 13, 2004 10:10 pm Reply with quoteBack to top

Raven wrote:
Variations on the UNION theme exploit. If you have not already installed my SQL Injection Hack Alert script, I would advise doing so. It will catch those exploits Wink


Hello!

Yes I have installed your awesome script! I was hoping that it would cover this new attack! Thanks again Raven for contributing it to the community!

Cheers

zanis

P.s does your code take into account Jeruvy's comments?
Find all posts by zanisView user's profileSend private message
Waldo
Nuke Soldier
Nuke Soldier


Joined: Mar 16, 2004
Posts: 24


PostPosted: Fri Apr 16, 2004 5:29 pm Reply with quoteBack to top

What about a patch to authors.php -- if necessary...?

The full description of the bug is here:

http://www.securityfocus.com/archive/1/360136/2004-04-06/2004-04-12/0
Find all posts by WaldoView user's profileSend private message
zanis
Lieutenant
Lieutenant


Joined: Aug 21, 2003
Posts: 213


PostPosted: Fri Apr 16, 2004 5:38 pm Reply with quoteBack to top

Waldo wrote:
What about a patch to authors.php -- if necessary...?

The full description of the bug is here:

http://www.securityfocus.com/archive/1/360136/2004-04-06/2004-04-12/0


Try the URL in the message after you have installed Ravens script!

[url]http://localhost/nuke71/admin php?op=AddAuthor&add_aid=waraxe2&add_name=God&add_pwd=coolpass&add_email=foo bar com&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox[/url]

Note the spaces above - you need to remove them.
Find all posts by zanisView user's profileSend private message
MechaDragon
Nuke Soldier
Nuke Soldier


Joined: Aug 12, 2003
Posts: 22


PostPosted: Fri Apr 16, 2004 8:22 pm Reply with quoteBack to top

I have raven's script installed and I don't get the ban message but also it doesn't add anything to my tables either. So I'm confused... (Yes I changed the URL and stuff but all I get it a white page that has nothing)
Find all posts by MechaDragonView user's profileSend private message
chatserv
General
General


Joined: Jan 12, 2003
Posts: 3128

Location: Puerto Rico

PostPosted: Fri Apr 16, 2004 8:36 pm Reply with quoteBack to top

Add the following to admin.php right after the credits:

Code:
if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) {
 die("Illegal Operation");
 }

_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
Find all posts by chatservView user's profileSend private messageVisit poster's website
Darby_2k4
Nuke Soldier
Nuke Soldier


Joined: Apr 15, 2004
Posts: 32


PostPosted: Tue Apr 20, 2004 4:06 am Reply with quoteBack to top

Thanks CS.
Find all posts by Darby_2k4View user's profileSend private message
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.120 Seconds - 304 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::