Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Thu Feb 05, 2004 6:10 am Reply with quote

Sites are being exposed even as I write this! This is still in 7.0 and 7.1. Check your modules/Reviews/index.php file for the following code. There should be 2 instances.

WHERE id=$id

If you have it, then you MUST modify it to

WHERE id='$id' .

Otherwise your admin passwords can be exposed. They are still encrypted, but depending on how serious someone was to get them, they might! please note that Chatserv's Patches have this fix in them, but FB should have patched his releases by now and hasn't Evil or Very Mad !
 
View user's profile Send private message
Raven
PostPosted: Thu Feb 05, 2004 6:13 am Reply with quote

This particular injection depends on MySQL v4.x being installed. V4.x allows for the sql UNION operator. In addition to Chat's fixes, you can add a line of code like this to the top of includes/my_header.php
Code:
if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: hack.php/");

Of cource hack.php could be any page you want. You could make it email you or whatever.

[Admin edit: mainfile.php is a better place for this code]


Last edited by Raven on Thu Feb 05, 2004 3:05 pm; edited 1 time in total 
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Thu Feb 05, 2004 7:02 am Reply with quote

Or you can add to the top of header.php:
Code:
$checktheurl = $_SERVER['REQUEST_URI']; 


if (preg_match("/UNION/", "$checktheurl")) {
echo "die";
exit;
}


[Admin edit: mainfile.php is a better place for this code]
 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Thu Feb 05, 2004 8:00 am Reply with quote

chatserv wrote:
Or you can add to the top of header.php:
Code:
$checktheurl = $_SERVER['REQUEST_URI']; 


if (preg_match("/UNION/", "$checktheurl")) {
echo "die";
exit;
}
This way would kill a domain name that had 'union' in the name as well as 'union' as a parameter, I believe. That's why I opted for the other approach. I also am using this in my .htaccess
Code:
RewriteCond %{QUERY_STRING}  "\%20union\%20select" [NC]

RewriteRule ^.*$ /hack.php/ [NC,L,R]
It seems to work in all my testing thus far.
 
chatserv
PostPosted: Thu Feb 05, 2004 8:09 am Reply with quote

Makes sense, in that case i'd make it:
Code:
if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) { 

echo "die";
exit;
}

The only difference is that no file needs to be created.
 
wraith
Client


Joined: Sep 13, 2003
Posts: 6

PostPosted: Thu Feb 05, 2004 10:10 am Reply with quote

I have done "Security Advisory: PHP-Nuke Patched 2.1" by chatserv and SFP also by chatserv, both dated 2004-02-04.

Is this enough or do I need to do more?
And what ?

(running 6.Cool

_________________
//wraith 
View user's profile Send private message
luchtzak
New Member
New Member


Joined: Jan 01, 2004
Posts: 3

PostPosted: Thu Feb 05, 2004 10:13 am Reply with quote

chatserv wrote:
Makes sense, in that case i'd make it:
Code:
if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) { 

echo "die";
exit;
}

The only difference is that no file needs to be created.


I applied this small patch, am I kinda safe now with this security-issue?

greetings,

Bart
 
View user's profile Send private message
chatserv
PostPosted: Thu Feb 05, 2004 11:31 am Reply with quote

Any of the variants detailed by Raven and myself will stop the attack that has been described in the past few days, of course it is always best to add validation to all variables and not just the ones that get hacked, Raven knows this has been done but we can't do anything about having them incorporated into the dev pack, some have been, with luck all others will be too.
 
chatserv
PostPosted: Thu Feb 05, 2004 11:34 am Reply with quote

wraith wrote:
I have done "Security Advisory: PHP-Nuke Patched 2.1" by chatserv and SFP also by chatserv, both dated 2004-02-04.

Is this enough or do I need to do more?
And what ?

(running 6.Cool

The sec-fix patches are designed to either fix bugs or patch vulnerabilities while altering the core files as little as possible, PHP-Nuke Patched on the other hand attempts to patch all likely vulnerabilities and changes the abstraction layer on all files to match the new one, if using PNP you don't need any of the sec-fix patches.
 
southern
Client


Joined: Jan 29, 2004
Posts: 591
Location: Texas

PostPosted: Thu Feb 05, 2004 11:40 am Reply with quote

Thanks Raven and chatserv, I put in the WHERE in modules/Reviews/index.php, the .htaccess and the my_header.php fixes and I just get the single word 'die' when I run the test Only registered users can see links on this board! Get registered or login!

How might I change this to a redirect to, say, the FBI site? Also does the %20 part affect the fixes?


Last edited by southern on Thu Feb 19, 2004 12:02 pm; edited 1 time in total 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
Raven
PostPosted: Thu Feb 05, 2004 11:45 am Reply with quote

Chat's will display 'die'. Mine will redirect to wherever you want. The %20 is very important. It translates to a space.
 
southern
PostPosted: Thu Feb 05, 2004 12:58 pm Reply with quote

I changed the die to another message, but how do I redirect to some other site or have it email me? Is that in the .htaccess or in the my_header? Does the .htaccess conflict with chatserv's 'die', since the former calls a hack.php and the latter doesn't?
 
Raven
PostPosted: Thu Feb 05, 2004 1:31 pm Reply with quote

.htaccess is processed before it ever reaches your web page.

To redirect to another site, just replace hack.php with Only registered users can see links on this board! Get registered or login! .

Here is the type of command you could use to email yourself
Code:
@mail('admin@yoursite.com', 'Hack Attempt', "$msg","From: Only registered users can see links on this board! Get registered or login!") ;


I will be publishing more detail on the script I use a little later.
 
southern
PostPosted: Thu Feb 05, 2004 1:42 pm Reply with quote

Thanks Raven. Smile
 
Raven
PostPosted: Thu Feb 05, 2004 3:04 pm Reply with quote

It has been concluded that that mainfile.php is a better place for the code that we suggested in header.php. I have edited the other posts.
 
southern
PostPosted: Thu Feb 05, 2004 3:23 pm Reply with quote

Should the code be removed from my_header or does it matter?
 
Raven
PostPosted: Thu Feb 05, 2004 3:26 pm Reply with quote

It doesn't matter. I am leaving mine in in the event someone finds a mod that uses header and not mainfile. Probably won't happen and it is a few micro seconds of overhead.
 
blith
Client


Joined: Jul 18, 2003
Posts: 977

PostPosted: Thu Feb 05, 2004 3:31 pm Reply with quote

Where at in the mainfile should we put this. thanks.
 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Thu Feb 05, 2004 3:33 pm Reply with quote

Right after the <? tag
 
southern
PostPosted: Thu Feb 05, 2004 3:41 pm Reply with quote

Works in mainfile, too, though the 'scram, miscreant' I have lacks a certain... something...
 
Raven
PostPosted: Thu Feb 05, 2004 3:43 pm Reply with quote

Try the hack on my site and see if you like mine.
 
southern
PostPosted: Thu Feb 05, 2004 3:55 pm Reply with quote

Well, dang... I ne'er knew you felt that way about me. That's a bunch better than mine!
 
Raven
PostPosted: Thu Feb 05, 2004 4:12 pm Reply with quote

Try it again. Your attempt revealed a lookup issue in my code. It should be fixed now.
 
southern
PostPosted: Thu Feb 05, 2004 4:25 pm Reply with quote

OK.. port 4719... but I hope you aren't sending an email to the fbi with my info. Smile
 
Raven
PostPosted: Thu Feb 05, 2004 4:26 pm Reply with quote

Embarassed
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©