Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
64bitguy
The Mouse Is Extension Of Arm


Joined: Mar 06, 2004
Posts: 1159
Location: Sanbornton, NH USA

PostPosted: Mon Dec 12, 2005 2:13 pm Reply with quote

The only thing I can think of Techno is that on the Platinum mods site, there must be something about Patched 3.1 that didn't make it into Platinum.

I have disabled search on my baseline domain because it too is at risk. What also bothered me is that I made a mod to NukeSentinel (like what you did with 2.4.2) and I could get past 2.3.9 still. (A slightly different change as it uses a different methodology).

Again, I'm dumping PHP-Nuke next month anyway, so I just said "the hell with it" and disabled the module.

I think you know already what I'm going to be running, but anyway, I can say that it is fully secure and you can test it.... The one bitch though is that while it won't produce a result, NukeSentinel doesn't identify it, which I think (in my mind) is an issue because I want to know WHENEVER anyone tries a union attack against me, whether it worked or not.

If Raven wants to see this in action, he can PM me, I'll open up my 7.6 Test domain or my baseline domain (turn the module back on) and then he can see the result.

Steph

_________________
Steph Benoit Only registered users can see links on this board! Get registered or login!
1CMS, 100% Section 508 and W3C XHTML/CSS Compliant (Truly) 
View user's profile Send private message Visit poster's website
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Mon Dec 12, 2005 2:19 pm Reply with quote

As steph said the problem with PNP is the total mess everything inside of it is. There is such a blending of 2.8, & 2.9, that adding 3 & 3.1 was a difficult task. Even some of the 2.8 changes were not correct. Obviously something was missed in PNP to fix the search expoit. That sucks for me and other PNP users.

<offtopic>Steph is anything ever going to happen on your other domain?</offtopic>

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
64bitguy
PostPosted: Mon Dec 12, 2005 2:24 pm Reply with quote

Yes.

I got the Copyright approval back from FSF and they are now assigned as the Copyright agents. I'm going to be going live with it next month. I'm not going to include any "input filtering" though until some of the other folks decide to play with it more. Also, I want to recode all of the input functions to offer with/without HTML editor scenarios (two sets of inputs instead of just one with an on/off switch) this will allow different users with different browsers to still have more flexible functionality. (Think of it as having an on/off switch on top of having the input fields properly defined for EACH method, instead of defining the field for one, which might not ...errr... actually IS NOT, right for the other method, when the editor is on, it uses input method 1, when the editor is off, it uses method 2).

Anyway, after much todo with lawyers and the like, I think I'm ready now, or darn close to it.

Installation scripts need work. I have a good SQL file, but it is just that (and needs bigdump to work because of everything being pre-insalled).

Steph
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Tue Dec 13, 2005 2:29 pm Reply with quote

Folks, I want to try to clear up what seems to be a misunderstanding, at least as to how Technocrat is misperceiving my comments. I have tested and proven beyond a shadow of a doubt that if your site is patched with at least 3.x and possibly even 2.9, this exploit does not work, even without NukeSentinel(tm). So, it is not a NukeSenitinel(tm) issue as the patched code, even from FB (some of the few pieces he left in), secures it. Our purpose in writing and maintaining NukeSentinel(tm) has always been to work in addition to the poorly secured nuke code. We try to keep redundancy out because if the core code get changed then NukeSentinel(tm) very well could be at odds with the core code.

I do not feel any need to rush out a new release of NukeSentinel(tm) over this for reasons stated above. You all know me (and us) here and we don't take security lightly or we would not have built this product and keep it up. But, you have the patch from technocrat if you want/need to patch your old code. But, and I can't emphasize this enough, the correct fix is to make sure you are up to date with Chatserv's latest patches (3.1 as of this writing) and then update your NukeSentinel(tm) to v2.4.2 to protect against the things that the patches don't/can't.

The sky is not falling folks Laughing. This is but a variation on a theme. This is an old exploit that's been ressurected, more than likely because a simple Google search reveals so many sites using unpatched phpNuke. If people haven't updated their sites by now with the patches and NukeSentinel(tm), there is nothing that would lead me to believe that issuing a "patch" would help them.

If it makes you feel mores secure, then by all means add technocrat's code. It won't hurt anything, that's for sure Wink.

And just for future reference, I'm not saying I won't add this into a future release but as long as a patch is out there then there is no need, imo, to rush out another release.
 
View user's profile Send private message
Raven
PostPosted: Tue Dec 13, 2005 10:48 pm Reply with quote

I have been working on this tonight after I saw a post by felosi at another site. I have a very easy fix that I will post as soon as a couple others test it out.
 
Raven
PostPosted: Tue Dec 13, 2005 11:19 pm Reply with quote

I've tested this and it should close many holes that the kiddies never spotted Wink. I am posting it here and in a separate post of its own.

My thanks to Technocrat for staying on my case about this Cheers

Edit includes/nukesentinel.php file,

FIND
function st_clean_string($cleanstring) {

AFTER ADD
$cleanstring = str_replace($cleanstring,strtoupper($cleanstring),$cleanstring);

Should Now Look Like
function st_clean_string($cleanstring) {
$cleanstring = str_replace($cleanstring,strtoupper($cleanstring),$cleanstring);
 
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Wed Dec 14, 2005 9:17 am Reply with quote

So no more onion attacks? lol!!!

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
Raven
PostPosted: Wed Dec 14, 2005 10:19 am Reply with quote

Can't make that claim (yet). But, we've certainly made a lot more layers to peel Wink
 
technocrat
PostPosted: Wed Dec 14, 2005 10:24 am Reply with quote

RavensScripts
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©