You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 239 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - This new security hole... [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
MechaDragon
Nuke Soldier
Nuke Soldier


Joined: Aug 12, 2003
Posts: 22


PostPosted: Fri Jun 04, 2004 1:27 pm Reply with quoteBack to top

Does protector or anything work with it?

http://www.securityfocus.com/archive/1/364725/2004-05-30/2004-06-05/0

Is the fix listed the best one to use?
Find all posts by MechaDragonView user's profileSend private message
foxyfemfem
Support Staff
Support Staff


Joined: Jan 23, 2003
Posts: 668

Location: USA

PostPosted: Fri Jun 04, 2004 3:05 pm Reply with quoteBack to top

Um, very interesting and I notice the date on that post is May (almost 2 months of age). Okay, can we get a "security" coder to verify if there's a fix for that, has the fix been produced and where the heck can I get the fix? Laughing

_________________
If you shoot for the moon and miss, you'll still be amongst the stars.
Find all posts by foxyfemfemView user's profileSend private message
alexm
Nuke Soldier
Nuke Soldier


Joined: Dec 23, 2003
Posts: 19


PostPosted: Fri Jun 04, 2004 3:45 pm Reply with quoteBack to top

MechaDragon wrote:

Is the fix listed the best one to use?


I'm not an expert on this subject, but the best fix is to make sure that safe_mode is "On" in your PHP. This will disable other users' ability to include() your files.

It's my opinion that if you are on a shared host with safe_mode Off, you have bigger problems than this little script.

I could be wrong. And there's no harm in adding the proposed "fix." Smile
Find all posts by alexmView user's profileSend private message
VinDSL
Site Admin
Site Admin


Joined: Jul 08, 2003
Posts: 1193

Location: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs

PostPosted: Fri Jun 04, 2004 4:35 pm Reply with quoteBack to top

This is NOT a Nuke security vulnerability IMHO. It's a server administration issue...

In order to use this attack, hackers would need admin privileges on the server in question, in order to create a symlink pointing to someone elses' sql db, no? Not only that, but they would need an account on (or access to another client's account on) the same server as you, in order to mount the attack in the first place.

There might be a web host out there stupid enough to give server admin privileges to clients on a shared server, and allow them to access data on other clients' db's, but I doubt it. If so, they wouldn't be in business long.

My fix would consist of changing web hosts... Wink

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::.
Find all posts by VinDSLView user's profileSend private messageVisit poster's websiteICQ Number
Chinese_Power
Private
Private


Joined: Feb 16, 2004
Posts: 38


PostPosted: Fri Jun 04, 2004 5:39 pm Reply with quoteBack to top

Interesting... But have someone tested this yet ? It dont work for me

_________________
Image
Find all posts by Chinese_PowerView user's profileSend private message
VinDSL
Site Admin
Site Admin


Joined: Jul 08, 2003
Posts: 1193

Location: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs

PostPosted: Fri Jun 04, 2004 5:55 pm Reply with quoteBack to top

Chinese_Power wrote:
Interesting... But have someone tested this yet ? It dont work for me

Are you talking about the quick 'n' dirty patch they suggested, or switching hosts? Laughing

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::.
Find all posts by VinDSLView user's profileSend private messageVisit poster's websiteICQ Number
judas
Corporal
Corporal


Joined: Apr 24, 2003
Posts: 66

Location: dev/hda1

PostPosted: Fri Jun 04, 2004 6:34 pm Reply with quoteBack to top

Imm..This is NOT A BUG ON NUKE.
but if you like the "propossed patch."..I think this will be better
Code:
$domain = $_SERVER['SERVER_NAME'];
$ipserv = gethostbyname($domain);
if ($ipserv != "your_server_ip_address_here") {
echo "Access denied";
die();
}

note:Im trying to reproduce this "bugs" and on my server I get 403 errors and other stuff..no real "proof of concept" results.
Find all posts by judasView user's profileSend private message
MechaDragon
Nuke Soldier
Nuke Soldier


Joined: Aug 12, 2003
Posts: 22


PostPosted: Fri Jun 04, 2004 7:00 pm Reply with quoteBack to top

foxyfemfem wrote:
Um, very interesting and I notice the date on that post is May (almost 2 months of age). Okay, can we get a "security" coder to verify if there's a fix for that, has the fix been produced and where the heck can I get the fix? Laughing


Two months? May 30 was less then a week ago... am I missing something or not understanding right...
Find all posts by MechaDragonView user's profileSend private message
MechaDragon
Nuke Soldier
Nuke Soldier


Joined: Aug 12, 2003
Posts: 22


PostPosted: Fri Jun 04, 2004 7:03 pm Reply with quoteBack to top

VinDSL wrote:
This is NOT a Nuke security vulnerability IMHO. It's a server administration issue...


Thanks, Didn't quite understand the whole process so I didn't know it had to be on the same server but thanks for the explination!!
Find all posts by MechaDragonView user's profileSend private message
clam729
Sergeant
Sergeant


Joined: Aug 18, 2003
Posts: 82


PostPosted: Fri Jun 04, 2004 11:15 pm Reply with quoteBack to top

search for one of my earlier posts about script hijacking, the same goes for this. everyone should add code to their sites to ensure that the scripts are being run from their server.

there are many ways to do this simple check, as i said, one of my earlier posts has some example code in it.
Find all posts by clam729View user's profileSend private message
Dunderklumpen
Corporal
Corporal


Joined: Apr 25, 2003
Posts: 53

Location: Sweden

PostPosted: Sat Jun 05, 2004 12:14 am Reply with quoteBack to top

judas wrote:
Imm..This is NOT A BUG ON NUKE.
but if you like the "propossed patch."..I think this will be better
Code:
$domain = $_SERVER['SERVER_NAME'];
$ipserv = gethostbyname($domain);
if ($ipserv != "your_server_ip_address_here") {
echo "Access denied";
die();
}

note:Im trying to reproduce this "bugs" and on my server I get 403 errors and other stuff..no real "proof of concept" results.


Thanks for the suggested patch - now where should I put this in config.php?

_________________
/Regards Mikael
Find all posts by DunderklumpenView user's profileSend private messageAIM AddressYahoo MessengerMSN MessengerICQ Number
kingpin03
Corporal
Corporal


Joined: Nov 14, 2003
Posts: 61


PostPosted: Sat Jun 05, 2004 2:00 am Reply with quoteBack to top

Dunderklumpen wrote:
judas wrote:
Imm..This is NOT A BUG ON NUKE.
but if you like the "propossed patch."..I think this will be better
Code:
$domain = $_SERVER['SERVER_NAME'];
$ipserv = gethostbyname($domain);
if ($ipserv != "your_server_ip_address_here") {
echo "Access denied";
die();
}

note:Im trying to reproduce this "bugs" and on my server I get 403 errors and other stuff..no real "proof of concept" results.


Thanks for the suggested patch - now where should I put this in config.php?
Try header.php instead. Wink

_________________
My PHPNukeMods:
pvPhortunes 1.0

Sites:
PV-D
HTK
Find all posts by kingpin03View user's profileSend private message
Dunderklumpen
Corporal
Corporal


Joined: Apr 25, 2003
Posts: 53

Location: Sweden

PostPosted: Sat Jun 05, 2004 2:48 am Reply with quoteBack to top

Ok, thanks - will do.
Find all posts by DunderklumpenView user's profileSend private messageAIM AddressYahoo MessengerMSN MessengerICQ Number
foxyfemfem
Support Staff
Support Staff


Joined: Jan 23, 2003
Posts: 668

Location: USA

PostPosted: Sat Jun 05, 2004 2:54 am Reply with quoteBack to top

@MechaDragon
Laughing You are correct. I was thinking this month was july not june (way ahead of myself).

I tried that exploit on my website and all I received was the 403 error page, therefore I'm with VinDSL on this one, if the exploit succeed via another, I'm changing my webhost.

@judas
Thanks for the patch, it's always better to be safe than sorry. I'm adding the patch to mainfile.php

This part $_SERVER['SERVER_NAME']; should SERVER_NAME be as is or am I suppose to add the name of the server I'm on?

_________________
If you shoot for the moon and miss, you'll still be amongst the stars.
Find all posts by foxyfemfemView user's profileSend private message
VinDSL
Site Admin
Site Admin


Joined: Jul 08, 2003
Posts: 1193

Location: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs

PostPosted: Sat Jun 05, 2004 4:45 am Reply with quoteBack to top

clam729 wrote:
...everyone should add code to their sites to ensure that the scripts are being run from their server...

Keep in mind that this attack IS run from your server, via a symlink in another client's account, or so the theory goes.

I don't think there is ANY patch that would work for such a situation, given the type of authentication Nuke uses. Once again, this is a server administration issue. Wink

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::.
Find all posts by VinDSLView user's profileSend private messageVisit poster's websiteICQ Number
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.063 Seconds - 318 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::