Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
southern
Client


Joined: Jan 29, 2004
Posts: 591
Location: Texas

PostPosted: Thu Feb 05, 2004 4:27 pm Reply with quote

You did? O no...
 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
chunk
New Member
New Member


Joined: Jan 22, 2004
Posts: 6

PostPosted: Mon Feb 16, 2004 11:06 am Reply with quote

Raven, I have a question for ya. Do all of these patches for vulnerabilities make their way back to phpnuke.org? I was curious about how all of this is tracked!


-David Smile
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Mon Feb 16, 2004 11:52 am Reply with quote

Most issues surrounding security usually do but not the quick fixes, hacks, etc. There are some that seem to continually get passed by. As to the reason, I guess only the single developer, Francisco Burzi, would know.
 
View user's profile Send private message
chunk
PostPosted: Mon Feb 16, 2004 1:50 pm Reply with quote

Well that said, I have to thank you for all of the quick security fixes you guys have been making. It's a part of my daily ritual to get the latest at Raven PHP... Very Happy
 
Raven
PostPosted: Mon Feb 16, 2004 2:53 pm Reply with quote

And, without Chatserv to constantly be on the prowl, we all would be up that proverbial creek Wink
 
karakas
Hangin' Around


Joined: Feb 20, 2004
Posts: 29

PostPosted: Sat Feb 28, 2004 7:09 am Reply with quote

That's right! Chatserv deserves many donations to his karma account for his dedication! Smile

For those of you who care about the security of their PHP-Nuke and want to read more about, read the Only registered users can see links on this board! Get registered or login!, especially the chapter on Only registered users can see links on this board! Get registered or login!.

Download the PHP-Nuke HOWTO in the format of your choice from the Only registered users can see links on this board! Get registered or login!. Notice that there is a module version of it too, i.e. you can install the Only registered users can see links on this board! Get registered or login! on your site.
 
View user's profile Send private message Visit poster's website
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Sat Feb 28, 2004 10:04 am Reply with quote

The bank account could use some donations too Razz

Thanks for the compliments. Wink
 
View user's profile Send private message Visit poster's website
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Mon Mar 01, 2004 7:44 pm Reply with quote

I've been finding when including a script (Like Raven's for instance hack.php).
When you don't want to use header location to redirect to the script. Its helpful to add something like chatservs message just above the include, before the exit or die function. This allows an instant of time to process the include before the exit or die command takes over.

In my case the include script grabs as much info as it can and dumps it into MySQL. So it needed this instant of time or the include failed.

If I do it the opposite the message after the include it fails too. (Strange)

Example:
Code:


if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) {
                  echo "Go Play Somewhere Else!";
                  include("verify.php");
               
               exit;
               }

Twisted Evil
And the DoS it with 10,000 requests to localhost wink* just kidding I'd never do a thing like that.
 
View user's profile Send private message
Raven
PostPosted: Mon Mar 01, 2004 8:26 pm Reply with quote

Have you tried the sleep() function Only registered users can see links on this board! Get registered or login! ?
 
sixonetonoffun
PostPosted: Mon Mar 01, 2004 10:09 pm Reply with quote

Yeah, actually I didn't think of it but yeah that works slick since nothing is echo'd to the browser no need to flush().

I did some "eyeball" cpu monitering and the usuage in this fashion is conservative almost not worth noting.
 
chatserv
PostPosted: Tue Mar 02, 2004 12:21 am Reply with quote

Raven wrote:
Have you tried the sleep() function Only registered users can see links on this board! Get registered or login! ?

A sleep function suggested by someone that is online 30 hours per day Shocked
 
Raven
PostPosted: Tue Mar 02, 2004 5:10 am Reply with quote

Hello pot? This is kettle. <MUHAHAHAHA> BTW, the new server is ordered Laughing
 
diabluntd
Hangin' Around


Joined: Mar 19, 2004
Posts: 31

PostPosted: Fri Mar 19, 2004 12:08 pm Reply with quote

chatserv wrote:
Makes sense, in that case i'd make it:
Code:
if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) { 

echo "die";
exit;
}

The only difference is that no file needs to be created.

When i put that code at the top of my mainfile.php and upload it i get errors on every page.

here is some of the error...
Code:
= explode(":", $user2); if($t_cookie[9]=="") $t_cookie[9]=$Default_Theme; if(isset($theme)) $t_cookie[9]=$theme; if(!$tfile=@opendir("themes/$t_cookie[9]"))

and it ends with
Code:
Fatal error: Call to undefined function: paid() in /home/virtual/site5/fst/var/www/html/banners.php on line 29


running 7.1 with 7.1patched installed. i got hacked today so i'm double checking everything. any ideas?
 
View user's profile Send private message
Raven
PostPosted: Fri Mar 19, 2004 12:15 pm Reply with quote

I just sent you a PM, but let's communicate here. If 7.1 patched did not stop the hack then there may be another hole. Check your logs and find what he did to get in. BTW, my alert code is not the same as what you quote here. In your PM you said you were using my alert script.
 
chatserv
PostPosted: Fri Mar 19, 2004 12:32 pm Reply with quote

The line in PHP-Nuke Patched is not the one quoted either, it's:
Code:
if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: index.php");
 
diabluntd
PostPosted: Fri Mar 19, 2004 12:37 pm Reply with quote

Raven wrote:
In your PM you said you were using my alert script.
I get the error with both. I was trying your alert code first then the one from above. Same thing happens.

No error log in nuke installed so i can't get any logs for you.
 
chatserv
PostPosted: Fri Mar 19, 2004 12:46 pm Reply with quote

On a side note here's a nice extra by DisgruntledTech

File: db/mysql.php
find:
Code:
if($query != "")

change to:
Code:
if($query != "" AND !stristr($query, "UNION"))
 
Raven
PostPosted: Fri Mar 19, 2004 12:47 pm Reply with quote

diabluntd wrote:
Raven wrote:
In your PM you said you were using my alert script.
I get the error with both. I was trying your alert code first then the one from above. Same thing happens.

No error log in nuke installed so i can't get any logs for you.
You need to look in your server access log.
 
chatserv
PostPosted: Fri Mar 19, 2004 12:53 pm Reply with quote

diabluntd wrote:
No error log in nuke installed so i can't get any logs for you.

The log file in question is not part of Nuke, contact your webhost provider and request a copy of your site's access log.
 
diabluntd
PostPosted: Fri Mar 19, 2004 2:35 pm Reply with quote

chatserv wrote:
diabluntd wrote:
No error log in nuke installed so i can't get any logs for you.

The log file in question is not part of Nuke, contact your webhost provider and request a copy of your site's access log.
the guy just left work for now but i'll get it later. earlier he said there was nothing in the httpd log... not sure if it's a different log.

and chat, from what i read doesn't the fix from disgruntled leave the site open for a post/thread error if the word "union" is ever used?

thanks for responding. you guys rule.
 
chatserv
PostPosted: Fri Mar 19, 2004 3:07 pm Reply with quote

The word union is not used in Nuke's core files so i guess that's what was taken into consideration when modifying the line, either way the same thing would happen with the line on mainfile.php since you most likely will have to include mainfile.php in any third party add-on so that it can grab Nuke's variables.
 
Raven
PostPosted: Fri Mar 19, 2004 4:06 pm Reply with quote

Actually I have to disagree here. DGT is filtering EVERY query to the database so you will have false positives. Union can very well be valid if you are writing queries to v4.x . The mainfile.php fix is looking for the word UNION in the URI query string, eg. GET, where it should never be.
 
chatserv
PostPosted: Fri Mar 19, 2004 4:27 pm Reply with quote

Yep, but as i said by default Nuke does not use the term, either way there's more than enough to choose from and on my sites i'm using the hack alert script and building up a decent ip ban list, for some unknown reason Very Happy my sites tend to get quite a few attacks. I have been using DGT's mod and so far no section has acted up, we'll see...
 
sixonetonoffun
PostPosted: Fri Mar 19, 2004 8:05 pm Reply with quote

Might (BadWord?) check out the filter for pnAntiCracker. The cookie filtering is something no one has applied to PHPNuke as far as I know?

Bullet proof code would be light speed faster but... I know I'm not that cocky... YET.

Ooops forgot the url: Only registered users can see links on this board! Get registered or login!
 
sixonetonoffun
PostPosted: Sat Mar 20, 2004 10:02 am Reply with quote

Actually that PN code was flakey the cvs was updated in cvs after that post with simpler checking.

What I get out of it is that the way to get around the filter is to pass an array of nasty code? Anyone?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©