|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 164 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
ATTENTION - PHP-Nuke Security Hole |
|
 Prophet writes "Today I have found a big security hole in PHP-Nuke which can easily allow a hacker complete control of almost any PHP-Nuke website.
This is a critical security flaw!
I strongly advise at this time that ALL PHP-NUKE WEBSITES SHOULD DISABLE OFFSITE AVATARS!
That is currently the easiest and fastest protection.
If you currently have this feature enabled your website is at serious risk!
I will not go into detail about how an exploit is possible at this time.
Admin Note: I've expanded on this fix and I am testing it currently here. Thanxs Prophet! - Evaders99 "
|
|
Posted on Friday, December 16 @ 12:41:33 CET by VinDSL |
|
|
|
|
| |
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: ATTENTION - PHP-Nuke Security Hole (Score: 1)
by Prophet on Friday, December 16 @ 13:03:51 CET
(User Info | Send a Message) http://jasonlau.biz | | Okay, I have been doing some serious testing on this and found that this vulnerability only affects the offsite avatar linking in the Your_Account module. The forum profile form does not seem to be affected. I am testing this in version 7.8. I'll keep you updated. |
| | | | |
Re: ATTENTION - PHP-Nuke Security Hole (Score: 1)
by Prophet on Saturday, December 17 @ 10:57:44 CET
(User Info | Send a Message) http://jasonlau.biz | Sorry for being vague. I don't think it's wise to say exactly what the vulnerability is before a good patch is released. I wasn't able to put much time in it, but I did get a quick patch together. Thanks Evaders99, for cleaning it up.
I've already had a few people ask me if this is something to be that concerned about.
Well, I think it's very important that (if you intend on using offsite avatar linking - many do) you take this seriously and patch the file - especially now that the vulnerability is known. Every two-bit hacker is going to be looking for websites that aren't patched.
Basically, when a user submits a link to an avatar, the link is not validated at all. This allows the person to inject any type of code into your webpage where it is then executed. Not only does this put your website and server at risk, but it also puts your visitors at risk. A hacker can use your website to track your members, harvest cookies, plant cookies, serve popups or spyware, etc.. That is, if the hacker is kind enough to not simply destroy your website instead.
So, yeah, get the patch. |
| | | | |
Re: ATTENTION - PHP-Nuke Security Hole (Score: 1)
by rwxrwxrwx on Saturday, December 17 @ 23:00:15 CET
(User Info | Send a Message) http://www.ratboyz.com/ | Allowing offsite avatars will introduce a level of insecurity even with your patch. If running apache, the remote server can use the AddType directive to change MIME-type for an extension. So, a server-side script could easily have non-standard endings including image ones. With the ForceType directive, one can match files with or without extensions to a given media type.
Also, many servers recognize .phtml files as containing php code, and .cgi is just one of many possible extensions for cgi scripts.
|
| | | | |
Re: ATTENTION - PHP-Nuke Security Hole (Score: 1)
by Prophet on Sunday, December 18 @ 09:27:02 CET
(User Info | Send a Message) http://jasonlau.biz | Just so everyone is aware of this, the patch is certainly not a cure-all for this issue. Disabling is not the perfect solution either since Your_Account module does not even check to see if admin has enabled or disabled the feature. A line of code in the address bar could execute the script even if you think you have it disabled.
Here's the best patch for it so far ...
Remove the entire avatarlinksave function and replace it with this ...
function avatarlinksave($avatar) {
include("header.php");
title("Disabled!");
OpenTable();
nav();
CloseTable();
OpenTable();
echo "Error: This feature is disabled!";
CloseTable();
include("footer.php");
} |
| | | | |
Re: ATTENTION - PHP-Nuke Security Hole (Score: 1)
by Evaders99 on Monday, December 19 @ 00:16:32 CET
(User Info | Send a Message) http://www.swrebellion.com | Disabling is not the perfect solution either since Your_Account module does not even check to see if admin has enabled or disabled the feature
My additional fix does though. Prophet, can you verify that it does? If there is any way around it, please let me know |
| | | | | |
