You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 176 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Php-Nuke:users and admins password hashes vulnerability!!! [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
NooN
Nuke Cadet
Nuke Cadet


Joined: May 30, 2003
Posts: 3


PostPosted: Tue Jun 03, 2003 9:51 am Reply with quoteBack to top

Hey, why there is no news about this issue http://archives.neohapsis.com/archives/bugtraq/2003-05/0346.html on the main page? I think its an important problem, what do u think?
Find all posts by NooNView user's profileSend private message
sixonetonoffun
Major
Major


Joined: Jan 13, 2003
Posts: 892


PostPosted: Tue Jun 03, 2003 11:44 am Reply with quoteBack to top

I looked at this but briefly. The script says your vulnerable no matter what you enter. Not that this proves anything one way or the other. But I refrain from further comments until the jury is in. It smacks of another not so long ago report using the same script nearly word for word that fails on every site I tested at that time.

The weblinks and downloads reports actually concern me more. As they deal with direct injections. And should be fairly easily patched if they aren't already in 6.6 Oh thats right we can't download those fixes because they aren't important enough to release. </sarcasm>

Serously we aren't ignoring these posts but it takes time to test on various systems and frankly lately time is hard to come by for most of us.

One thing you can count on if this is exploitable someone will run it against a major nuke site to get our attention.

_________________
www.netflake.com
www.glowoptics.com
Find all posts by sixonetonoffunView user's profileSend private message
ArtificialIntel



Joined: Jan 31, 2004
Posts: -88


PostPosted: Tue Jun 03, 2003 12:20 pm Reply with quoteBack to top

it's bugtraq smearing PHP-Nuke's name again. Ignore it, it's a load of c***

AI
Find all posts by ArtificialIntelView user's profileSend private message
NooN
Nuke Cadet
Nuke Cadet


Joined: May 30, 2003
Posts: 3


PostPosted: Thu Jun 05, 2003 10:25 am Reply with quoteBack to top

ArtificialIntel wrote:
it's bugtraq smearing PHP-Nuke's name again. Ignore it, it's a load of c***

AI

So we can just ignore it? I run 6.0 site, and just warried about any news that have something to do with exploids and admins password hashes etc...
But if you say - "this is BS" - i will belive you, not that guy who has published this article.
Find all posts by NooNView user's profileSend private message
crashoverride



Joined: Jan 31, 2004
Posts: 0


PostPosted: Thu Jun 05, 2003 10:37 am Reply with quoteBack to top

like AI said in the announcement he created just after he responded to this topic, BugTraq dont' seem to know basic SQL syntax and PHP coding, so why anybody trusts their reports is beyond me.

They keep pulling up vunerabilities saying "they can do this, they can do that, they can bla bla bla". An example of which was a certain bit of code not so long ago where they could supposidly hack a site and grab passwords for the admin accounts (there's a topic in the security forum if you want to know specifics), and they were saying it was because of a lack of single quotes ('s) that was causing the error.

However, in SQL, if a variable isn't encased in single quotes, then the SQL server only accepts integers as the input, not text or anything else. In essence, adding hte quotes would introduce the vunerability, not remove it. - good from a site that's supposed to report errors, no?

Anyway. Like I said, details are available in other topics.

CO
Find all posts by crashoverrideView user's profileSend private message
MikeMiles
Lieutenant
Lieutenant


Joined: May 29, 2003
Posts: 231


PostPosted: Thu Jun 05, 2003 7:37 pm Reply with quoteBack to top

BugTraq is just a notification/moderation mechanism whose content comes from outside contributors. BugTraq doesn't verify and validate any reported exploits, and they aren't in a position to do so. That's the project developers responsibility. From my experience on a few open source projects, the contributors are usually quite responsible and contact the developers first with their finds. Through communication, the invalid ones usually never make the list. People will often wait in submitting their find until the developers have a chance to fix it within a reasonable time. For the projects which have a security mailbox and are responsive, they hardly have any entries on BugTraq because they they release security fixes right away when something is found.

In the last report on phpNuke, the submitter said he contacted FB but received no response. If FB would just respond back to these people to verify their finds or explain why they aren't exploits of phpNuke's code, then it would weed out inaccuracies. Shoot, he doesn't even take the time to update BugTraq on whether anything was fixed or invalid. Others have to do it instead.

The one bad thing about BugTraq though is it's a great repository for the script kiddies to use. If it didn't exist, they still would cause havoc but would have to work to figure out the exploits themselves.
Find all posts by MikeMilesView user's profileSend private message
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.162 Seconds - 561 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::