You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 298 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Fix for the latest God Admin creation bug [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
MGCJerry
Elite Nuker
Elite Nuker


Joined: Jun 16, 2003
Posts: 220


PostPosted: Sat Apr 17, 2004 6:34 pm Reply with quoteBack to top

My fix checks to see if they are logged in as admin before executing the query, and it directs them to the main page if they are not logged in. If they are an admin it will allow the query if you're not trying to create a God account, which youre not supposed to be able to do anyway.

Find in "admin/modules/authors.php": the $result line should be on one line and has been chopped up here to make it easy to read.
Code:

    $add_pwd = md5($add_pwd);
    $result = sql_query("insert into ".$prefix."_authors values ('$add_aid', '$add_name', '$add_url', '$add_email', '$add_pwd',
'0', '$add_radminarticle','$add_radmintopic','$add_radminuser',
'$add_radminsurvey','$add_radminsection','$add_radminlink',
'$add_radminephem','$add_radminfaq','$add_radmindownload',
'$add_radminreviews','$add_radminnewsletter','$add_radminforum',
'$add_radmincontent','$add_radminency','$add_radminsuper',
'$add_admlanguage')", $dbi);
    Header("Location: admin.php?op=mod_authors");


ADD BEFORE
Code:

    if(is_admin($admin)) {
        if(eregi("God", $add_name)) {
            echo "You cannot create a god account.";
            exit;
        } else {


ADD AFTER
Code:

        }
    } else {
        header("Location: index.php");
        exit;
    }


This should be considered temporary until I hear from others that it actually stops them. *So far* it has worked for me.

Cheers,
MGCJerry

_________________
Original creator of
* Fetch Mod
* RPG Races Module
* 2 The Xtreme Theme
Find all posts by MGCJerryView user's profileSend private message
miniportal
Nuke Cadet
Nuke Cadet


Joined: Apr 18, 2004
Posts: 5


PostPosted: Sun Apr 18, 2004 6:28 am Reply with quoteBack to top

nice, but what if the person won't use the name "God"? The hacker can use an url like this
Code:
admin.php?op=AddAuthor&add_aid=bad_hackers_login&add_name=name_but_no_god...


In that situation your fix won't work!

I used a simple method - edit your admin/modules/authors.php and find those lines in function displayadmins()
Code:
       
."<tr><td>&nbsp;</td><td colspan=\"3\"><font class=\"tiny\"><i>"._SUPERWARNING."</i></font></td></tr>"
."<tr><td>"._PASSWORD."</td>"


and add after:
Code:
   
."<input type=\"hidden\" name=\"some_random_variable_name_you_only_know\" value=\"some_random_value_you_only_know\">"


replace MGCJerry's code
Code:

if(is_admin($admin)) {
        if(eregi("God", $add_name)) {
            echo "You cannot create a god account.";
            exit;
        } else {


with

Code:

  if(is_admin($admin)) {
              if($some_random_variable_name_you_only_know!="some_random_value_you_only_know") {
                 Header("Location: http://alpha.shl.pl");
                             exit;
                                     } else {



It works with my site, hope it'll help you too.
Find all posts by miniportalView user's profileSend private messageVisit poster's website
MGCJerry
Elite Nuker
Elite Nuker


Joined: Jun 16, 2003
Posts: 220


PostPosted: Sun Apr 18, 2004 9:19 am Reply with quoteBack to top

Yours was a good idea too. I'll implement that code too. Smile

Anyways, if they tried creating a "God" admin, it would fail unless if you are already an admin. So if you are logged into your own site as an admin, the "exploit" will work.

The code uses the is_admin() function located in the mainfile that checks if your an admin and validates it with the database.

Anyways, thanks for your code. Smile

Heres something else I just thought of. Maybe you could use something similar to the validation code for logins... Just a thought.

_________________
Original creator of
* Fetch Mod
* RPG Races Module
* 2 The Xtreme Theme
Find all posts by MGCJerryView user's profileSend private message
miniportal
Nuke Cadet
Nuke Cadet


Joined: Apr 18, 2004
Posts: 5


PostPosted: Mon Apr 19, 2004 4:30 am Reply with quoteBack to top

Of course right you are, but as I mentioned your patch was only against the 'God' admin, but the only difference between GOD and 'normal' Super-admin is just the fact that it can't be deleted from the admin menu, so it is easy to pass the patch. I found the weakness by making a mistake in the word 'God' in the exploit's url Very Happy Luck Smile

Hope there won't be more hacks like this..

cheers,
Alpha @ http://miniportal.harc.pl
Find all posts by miniportalView user's profileSend private messageVisit poster's website
b2phat
Private
Private


Joined: Oct 26, 2003
Posts: 37

Location: USA

PostPosted: Tue Apr 20, 2004 5:13 am Reply with quoteBack to top

Hi,

I thank you both for coming up with this ... I want to put it on site ASAP. I've been hacked twice in two days and just changed my index.php and admin.php names and locations until I could figure out what to do.

Forgive me for being a newbie ;o) But the code you have here some_random_password_only_you_know ...... do we replace that in ALL areas with our "whatever we only know" code?

Or do we leave it as is and change it only in certain places?

And finally ... where it says "header location" and alpha.shl.pl .... do we put our header file from the main (base) root in to replace that or the header in the admin panel?

Thanks very much!
Find all posts by b2phatView user's profileSend private messageAIM AddressYahoo MessengerMSN Messenger
miniportal
Nuke Cadet
Nuke Cadet


Joined: Apr 18, 2004
Posts: 5


PostPosted: Tue Apr 20, 2004 5:28 am Reply with quoteBack to top

1) there are two places to change - first is a hidden variable in your form, the second one check's if this variable is set. Of course the "whatever we only know code" must be the same Smile

2) Header("Location: http://alpha.shl.pl"); line redirects the person trying to hack our site to the specified location. I use 'http://alpha.shl.pl', but you can for example use i.e.
Header("Location: index.php");
to redirect to your home

Header("Location: info_for_hacker.php");
to redirect to a page including an info, that CIA has the hacker's address and it's going to get him Smile

or
Header("HTTP/1.0 404 Not Found");
to create a fake 'Error 404 - URL not found' message Smile

greetz,
Alpha @ http://alpha.shl.pl
Find all posts by miniportalView user's profileSend private messageVisit poster's website
b2phat
Private
Private


Joined: Oct 26, 2003
Posts: 37

Location: USA

PostPosted: Tue Apr 20, 2004 10:43 am Reply with quoteBack to top

miniportal wrote:
1) there are two places to change - first is a hidden variable in your form, the second one check's if this variable is set. Of course the "whatever we only know code" must be the same Smile


Okay,

Thank you so much. I really appreciate it.... as I'm sure 1,000's of others do right now too. You should have seen how they taunted me with the hack!

Posted on my site ..... saying "So you really think PHP-Nuke is secure" and "Patch Your site 1 minute after a bug report".

I think the hackers spend as much time reading these boards (probably more) than us regular users.

Oh .. the part I was curious about was the area where this is at:

Quote:


."<input type=\"hidden\" name=\"some_random_variable_name_you_only_know\" value=\"some_random_value_you_only_know\">"

if(is_admin($admin)) {
if($some_random_variable_name_you_only_know!="some_random_value_you_only_know") {
Header("Location: http://alpha.shl.pl");
exit;
} else {


I thought maybe the $ in front of the "some random" meant that it was defined somewhere else ... like in a language file .. and we left the variable here ... but that's what I get for thinking after two days of dealing with these hacks ;o)

Thanks very much again!

Take care.
Find all posts by b2phatView user's profileSend private messageAIM AddressYahoo MessengerMSN Messenger
chatserv
General
General


Joined: Jan 12, 2003
Posts: 3128

Location: Puerto Rico

PostPosted: Tue Apr 20, 2004 9:45 pm Reply with quoteBack to top

If this thread refers to the addauthor hack a simple way to tackle it is to add to your admin.php right after the credits:
Code:
if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) {
die("Illegal Operation");
}


The die line can be changed to a redirect

_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
Find all posts by chatservView user's profileSend private messageVisit poster's website
b2phat
Private
Private


Joined: Oct 26, 2003
Posts: 37

Location: USA

PostPosted: Tue Apr 20, 2004 10:23 pm Reply with quoteBack to top

Okay ............

I'm getting there Confused

I installed the protector system too and it is just AWESOME! I had no idea how advanced it was and how much control it gives you or I'd have installed it ages ago!

It already banned the person who hacked me yesterday some warex dude and his info was listed as *Union/ something or other. I guess he/they/it is well-known in the Nuke community because when I went to go look at the info on them, it said "You probably ALREADY know" .

I have a question though .... I was going into make sure that I didn't have any surprise "God" accounts again but got an sql syntax error when I clicked to go into admin.php?op=mod_authors. It happened after I added the fixes here, so I'm sure it's something simple but I can't find it.

Here's the error code:

Parse error: parse error in /home/user~/public_html/admin/modules/authors.php on line 408

And here is what I have on line 408:


Line 408: if(some_variable_only_I_know="the_same_variable_only_I_know") {
Line 409: Header("Location: http://alpha.shl.pl");
Line 410: exit;
Line 411: } else {

Can someone tell me where I screwed up? Do I have an extra ; or something in there?

Thanks much!
Find all posts by b2phatView user's profileSend private messageAIM AddressYahoo MessengerMSN Messenger
miniportal
Nuke Cadet
Nuke Cadet


Joined: Apr 18, 2004
Posts: 5


PostPosted: Wed Apr 21, 2004 1:03 am Reply with quoteBack to top

Line 408: if($some_variable_only_I_know!="the_same_variable_only_I_know") {

greetz,
Alpha @ http://alpha.shl.pl
Find all posts by miniportalView user's profileSend private messageVisit poster's website
b2phat
Private
Private


Joined: Oct 26, 2003
Posts: 37

Location: USA

PostPosted: Wed Apr 21, 2004 1:32 am Reply with quoteBack to top

Thanks much!
Find all posts by b2phatView user's profileSend private messageAIM AddressYahoo MessengerMSN Messenger
b2phat
Private
Private


Joined: Oct 26, 2003
Posts: 37

Location: USA

PostPosted: Wed Apr 21, 2004 3:55 pm Reply with quoteBack to top

Hi Again,

I ran into a problem.

I am trying to add recreate my staff from the admin panel, because the field values didn't match from my saved backup.

But when I went to click submit ... I got redirected ;o)

I was logged in as "God" ... any ideas why that may have happened?

Thanks!
Find all posts by b2phatView user's profileSend private messageAIM AddressYahoo MessengerMSN Messenger
Waldo
Nuke Soldier
Nuke Soldier


Joined: Mar 16, 2004
Posts: 24


PostPosted: Thu Apr 22, 2004 11:35 am Reply with quoteBack to top

Question--

this "some_random_value_you_only_know" stuff-- if the random value is a hidden form value, then wouldn't anyone who can see the form be able to know what the value should be, and include it in the spoofed header? Or is it a thing where the form is never seen by the hacker prior to the hack attempt?

W
Find all posts by WaldoView user's profileSend private message
b2phat
Private
Private


Joined: Oct 26, 2003
Posts: 37

Location: USA

PostPosted: Thu Apr 22, 2004 12:16 pm Reply with quoteBack to top

Waldo wrote:
Question--

this "some_random_value_you_only_know" stuff-- if the random value is a hidden form value, then wouldn't anyone who can see the form be able to know what the value should be, and include it in the spoofed header? Or is it a thing where the form is never seen by the hacker prior to the hack attempt?

W


Hi Waldo,

I'm not sure about the answer to your question... but I do know that it's in the includes folder of admin ... and I tried to view source but couldn't see it.

But ... I downloaded the protector module from "War Center" and it accomplishes the same thing and protects your admin pages and just about everything else.

I installed the day after I was hacked .. and it's already recorded another "God Admin" violation attempt. And it stops them so cool! It sounds an alarm on their system ... then redirects them to where you choose (I chose www.FBI.gov) LOL. Then, it automatically bans them and adds them to your .htaccess file. It then emails you with a report and even tells you what the violation attempt was. In my case, they tried to use this url. ON second thought ... I'm not going to print the url .. but it's just a simple url that includes the name AddAuthors, God and superuser in it. Unbelievable that it was that simple for them to do that!

It is awesome! Gives you total control over everything ... even spiders!

You can check it out at: http://protector.warcenter.se/downloads.html

I just wish I'd known about it BEFORE the hacks Wink

Take care.


Last edited by b2phat on Thu Apr 22, 2004 1:40 pm; edited 1 time in total
Find all posts by b2phatView user's profileSend private messageAIM AddressYahoo MessengerMSN Messenger
miniportal
Nuke Cadet
Nuke Cadet


Joined: Apr 18, 2004
Posts: 5


PostPosted: Thu Apr 22, 2004 12:19 pm Reply with quoteBack to top

Waldo: it can be only be seen by a logged-in admin with the rights to add admins.

b2phat: hm... I will have to try this module Smile

greetz,
Alpha @ http://hosting.shl.pl
Find all posts by miniportalView user's profileSend private messageVisit poster's website
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.163 Seconds - 637 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::