New critical admin vulnerability in all Nukes

Lateron · Posted: Mon Mar 29, 2004 3:48 pm

This was posted by djmaze at nukecops:

Only registered users can see links on this board!
Get registered or login to the forums!

Raven · Posted: Mon Mar 29, 2004 3:56 pm

I was just posting Chatserv's fix here.

In admin.php find this code

Code:

function deleteNotice($id, $table, $op_back) {
global $db;
$db->sql_query("DELETE FROM $table WHERE id = '$id'");
Header("Location: admin.php?op=$op_back");
}

and change it to

Code:

function deleteNotice($id) {
global $prefix, $db;
$id = intval($id);
$db->sql_query("DELETE FROM ".$prefix."_reviews_add WHERE id = '$id'");
Header("Location: admin.php?op=reviews");
}

and find in the same file:

Code:

case "deleteNotice":
deleteNotice($id, $table, $op_back);
break;

Change to:

Code:

case "deleteNotice":
deleteNotice($id);
break;

Lateron · Posted: Mon Mar 29, 2004 4:38 pm

Raven,

We folk from the Southern Hemisphere are just too quick for you northerners ! Laughing

Ron.....

Raven · Posted: Mon Mar 29, 2004 4:50 pm

Rock => Raven <= Lateron

I have the comebacks but in the interest of public relations I will withhold them Laughing

Nukeum66 · Posted: Mon Mar 29, 2004 7:08 pm

Raven, let the reb have it! ...... Laughing

Johan1982 · New Member Joined: Oct 23, 2003 Posts: 24

Excellent

Another thing, I have read this post in the Forum of phpnuke.org,

Only registered users can see links on this board!
Get registered or login to the forums!

an GOD administrator can erase? Question

darksied · Posted: Tue Mar 30, 2004 5:24 pm

Ok i tried this fix and i get a parse error on line 125 anyone else have this happen yet i am running version 6.9, any ideas on how to possibly fix the fix.

Raven · Posted: Tue Mar 30, 2004 5:39 pm

Well, a parse error usually means a missing ; or ' or " . If you can't find it, please post lines 120 - 130.

darksied · Posted: Tue Mar 30, 2004 11:36 pm

Ok Raven here is the error and the code i included line 109-130 just seemed easier at the time.

ps: Like i told Chatserv thanks for all the work that you guys do in the security area for php-nuke.

Code:

Parse error: parse error in /home/public_html/admin.php on line 125

Code:

109 function gfx($random_num) {
110 global $prefix, $db;
111 require("config.php");
112 $datekey = date("F j");
113 $rcode = hexdec(md5($_SERVER[HTTP_USER_AGENT] . $sitekey . $random_num . $datekey));
114 $code = substr($rcode, 2, 6);
115 $image = ImageCreateFromJPEG("images/admin/code_bg.jpg");
116 $text_color = ImageColorAllocate($image, 80, 80, 80);
117 Header("Content-type: image/jpeg");
118 ImageString ($image, 5, 12, 2, $code, $text_color);
119 ImageJPEG($image, '', 75);
120 ImageDestroy($image);
121 die();
122 }
123
124 function deleteNotice($id) {
125 global $prefix, $db;
126 $id = intval($id);
127 $db->sql_query("DELETE FROM ".$prefix."_reviews_add WHERE id = '$id'");
128 Header("Location: admin.php?op=reviews");
129 }
130

Raven · Posted: Tue Mar 30, 2004 11:51 pm

Something else has been added to your admin.php. In the v6.9 default admin.php, your line 109 actually starts on line 106. Try reinstalling the default admin.php and then applying this fix.

darksied · Posted: Wed Mar 31, 2004 11:30 am

ok this is what i did i droped a clean admin.php and the one on my site in Differences Examiner and this is what i found.

Code:

if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) {
die("Illegal Operation");
}

Clean admin.php

Code:

$sql = "INSERT INTO ".$user_prefix."_users (user_id, username, user_email, user_website, user_avatar, user_regdate, user_password, theme, commentmax, user_lang, user_dateformat) VALUES (NULL, '$name', '$email', '$url', '$user_avatar', '$user_regdate', '$pwd', '$Default_Theme', '$commentlimit', 'english', 'D M d, Y g:i a')";

admin.php on website

Code:

$sql = "INSERT INTO ".$user_prefix."_users (user_id, username, user_email, user_website, user_avatar, user_regdate, user_password, theme, commentmax, user_level, user_lang, user_dateformat) VALUES (NULL, '$name', '$email', '$url', '$user_avatar', '$user_regdate', '$pwd', '$Default_Theme', '$commentlimit', '2', 'english', 'D M d, Y g:i a')";

now the top code i include from your site why the other 2 lines are different i dont really know i have a few mods like nsn groups and such so it could be from any mod i installed i wish there was a way to tell what changes what or what lines were modified by newly installed mods.

Raven · Posted: Wed Mar 31, 2004 1:44 pm

Please zip your admin.php and email it to me. Thanks.

Raven · Posted: Wed Mar 31, 2004 5:40 pm

I don't know what editor you are using but it is adding some weird characters in all the code you added. That's your problem. Use an editor like Textpad and try it again. Here is what it looks like and what is causing your errors

Code:

function deleteNotice($id) {
Ê Ê global $prefix, $db;
Ê Ê $id = intval($id);
Ê Ê $db->sql_query("DELETE FROM ".$prefix."_reviews_add WHERE id = '$id'");
Ê Ê Header("Location: admin.php?op=reviews");
}

and also

Code:

case "deleteNotice":
Ê ÊdeleteNotice($id);
Ê Êbreak;

darksied · Posted: Wed Mar 31, 2004 11:23 pm

Thanks for all the help raven it now works.

chatserv · Posted: Mon Apr 26, 2004 11:34 am

Some additional protection code, thought i'd post it here since it deals with admin.php as well. This will stop two forms of a hack that attempts to add an admin account for the hacker either by using a fake image or by inserting the code:

After admin.php's file credits add the following:

Code:

if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) {
die("Illegal Operation");
}

paranor · Worker Joined: Aug 28, 2003 Posts: 227

Does Raven's hackattempt stop this Chatserv?

I get confused as to what I should be adding where.

Raven · Posted: Mon Apr 26, 2004 9:50 pm

No. Mine is meant and directed at the UNION hack attempts. However, you can direct Chat's snippet to my hack script to get the IP information instead of just die().

chatserv · Posted: Mon Apr 26, 2004 9:55 pm

Code:

if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) header("Location: hackattempt.php");

paranor · Worker Joined: Aug 28, 2003 Posts: 227

Ugh. Is there anything I can do to manage a nice organized list of what to patch and what covers what and what isn't in what and when?

I've been gone for a few weeks and there is this new patch buried in an old post. Just thinking of a way to utilize Chatserv and your talents best without having to keep track of things 24x7. Smile

Raven · Posted: Mon Apr 26, 2004 10:02 pm

Money always works for me. How about you Chat :LOL:

paranor · Worker Joined: Aug 28, 2003 Posts: 227

lol. true! and thankfully my giving record speaks for itself - you guys are cheap and easy. Wink

Seriously I was thinking more of a single reference point.

In this case I think it would be something like

??/??/?? 2.2 - Chatserv pack here (link)
??/??/?? 2.3 - Chatserv pack here (link)
04/??/04 - admin.php patch here (link)
05/01/04 - 2.4 - Chatserv pack here - includes all post 2.3 fixes.

and preferably the link for the source code does have 20 replies in it. That gets to be annoying reading and what if there is a fix to the original code 21 replies later?

I'd be happy to help with that - it at least gives me something to contribute. And maybe I'll shaddup.

chatserv · Posted: Mon Apr 26, 2004 10:16 pm

Ditto lol

chatserv · Posted: Mon Apr 26, 2004 10:34 pm

Quote:

you guys are cheap and easy.

That sure does not help my messed up reputation. Laughing