Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Tue Jun 08, 2004 6:47 am Reply with quote

We are aware that some new exploits/advisories have been issued concerning phpnuke and we are looking into those reports right now. If we find that they are legitimate, we will determine a solution and will make it/them available ASAP.
 
View user's profile Send private message
Scribbles
Client



Joined: Feb 09, 2004
Posts: 8

PostPosted: Tue Jun 08, 2004 7:36 pm Reply with quote

Thank you!

Scribbles
 
View user's profile Send private message
Guardian2003
Site Admin



Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam

PostPosted: Fri Oct 08, 2004 6:36 pm Reply with quote

Are we talking about the possible new exploits to the new nuke 7.5 Admin area?
If so, it is nice to know that FB is still releasing insecure code for others to fix.

I don't want to get into a flaming war here (not today anyway I have a headache) but can anyone tell me if FB actually does any vulnerability checking before releasing new code or updated code.

Looking forward to any posted fixes so I can breath a sigh of relief.
 
View user's profile Send private message Send e-mail
Raven







PostPosted: Fri Oct 08, 2004 8:43 pm Reply with quote

The original post is from June 8, 2004. Those items were fixed immediately. As a matter of fact, we had some of them fixed before they ever went public as they were variations on a theme. RavensScripts
 
hozay
New Member
New Member



Joined: Dec 05, 2004
Posts: 19

PostPosted: Sun Dec 12, 2004 1:44 am Reply with quote

LOL thats the cutest.. funiest little emoticon/avatar i have ever seen lol

good luck and from all the php users... thnx for looking out for us Wink Very Happy
 
View user's profile Send private message
j_felosi
Regular
Regular



Joined: Oct 17, 2005
Posts: 51

PostPosted: Sun Oct 23, 2005 6:07 pm Reply with quote

phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit
[ Only registered users can see links on this board! Get registered or login! ]

There is a new advisory for phpbb 2.017 I do not know if this affects the bb2nuke. Also most people have remote avatar uploading disabled. might be worth a look see.

Sorry if this is the wrong place to post this. I had seen this thread and figured it was for security advisories
 
View user's profile Send private message
64bitguy
The Mouse Is Extension Of Arm



Joined: Mar 06, 2004
Posts: 1164

PostPosted: Sun Oct 23, 2005 9:47 pm Reply with quote

This has been a known problem for a great deal of time. The fact is, webmasters should have that feature turned off for a variety of reasons, but the major reason being vulnerabilities.

Simply go to Forum Admin/General Configuration and disable "Enable remote avatars" to solve this problem.

If people want to have an avatar, they can pick one from the gallary or upload one. You shouldn't need to remote feed one in the first place.

_________________
Steph Benoit
100% Section 508 and W3C HTML5 and CSS Compliant (Truly) Code, because I love compliance. 
View user's profile Send private message
j_felosi







PostPosted: Mon Oct 24, 2005 12:26 am Reply with quote

Yes, Ive always had them disabled cause i provide a huge archive and if someone wanted one of their own I had them email it to me, part of the reason for the huge galleries. Well, I think in that report it said that phpbb will be upgrading to 2.018 soon. If its just over that small vulnerabilty then I wouldnt even bother upgrading.
 
VinDSL
Life Cycles Becoming CPU Cycles



Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Mon Oct 24, 2005 3:27 am Reply with quote

64bitguy wrote:
If people want to have an avatar, they can... upload one...

It's 2:30AM here, and my eyes are getting tired, so maybe I'm misreading the advisory, but this seems to be a *new* XSS-like exploit involving HTML code masqerading as avatars being uploaded to phpBB web boards (all versions), with visitors running Internet Explorer (all versions) as the intended victims. It could be used to steal cookie info and send it to a remote location.
[ Only registered users can see links on this board! Get registered or login! ]

That's a new one to me... Wink Am I reading this all wrong?

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::. 
View user's profile Send private message Visit poster's website ICQ Number
64bitguy







PostPosted: Mon Oct 24, 2005 10:10 am Reply with quote

No, it is an OLD exploit relating to people running a REMOTE avatar. Hence the XSS like vulnerability. Uploading the file from a "browsed" local path is totally different and is NOT exposed to any vulnerability because you can't browse an http address.

Again, if you disable remote loading, there is no problem
 
j_felosi







PostPosted: Mon Oct 24, 2005 11:08 am Reply with quote

I seen there is a new one for nuke 7.8 too now, it says for Nuke 7.8 with all security fixes and patches, probably earlier. Glad I listened to you and went with 7.6 The exploit has union strings all in it so Im sure sentinel will take care of it [ Only registered users can see links on this board! Get registered or login! ]
or [ Only registered users can see links on this board! Get registered or login! ]

I think the whole nuke community is tired of hearing about 7.7-7.9
I have tried the 7.9 and 7.8 and I like my 7.6 the best, I can go to bed and rest easier at night with it.
It seems to me a lot of people dont know about the admin ip lock that was released at platinumods. I took the one from evo and used it for ranges. Its a big help and a big assurance that even if your site was comprimised nothing could be done because when they got the admin page they would just see an inavlid ip message. Its a real easy mod to add and I use it on modules/forums/admin/pagestart.php, admin.php, and your account/admin.php I posted it on techno's site for him to look at and maybe make better instructions..lol
Here it is [ Only registered users can see links on this board! Get registered or login! ]
Ive shared this with a lot of friends, it may be a good download to add.
 
64bitguy







PostPosted: Mon Oct 24, 2005 12:21 pm Reply with quote

The exploit that you describe is protected by NukeSentinel. Several people have been trying to run that exact exploit against my 7.8 after-patched domain to no avail.

Also, I should point out that while I really like the Platinummods IP address validation function, if you have NukeSentinel's second layer of password protection on your admin file (CGI Authentication) you shouldn't really need another layer of protection, but I guess you can never be too careful now can you?
 
j_felosi







PostPosted: Mon Oct 24, 2005 12:56 pm Reply with quote

No I have the http auth, always had problems from the cgi auth plus I thought it might messup my ip deny on cpanel. But I think with the http auth with one real good password and then your admin with a different real good password, and then the ip lock. I feel safe. Im a strictler for passwords Ive attempted to crack my hash numerous times but none of the onlie ones would. And yes i love that about nuke sentinel, But that was another reason I ditched the platinum over an old hash exposijng exploit because I look at nukesentinel as a protection against unknown threats and against people who try so it will ban them. I feel better knowing that the nuke itself is protected against all known exploits.
 
VinDSL







PostPosted: Mon Oct 24, 2005 6:48 pm Reply with quote

64bitguy wrote:
No, it is an OLD exploit relating to people running a REMOTE avatar. Hence the XSS like vulnerability. Uploading the file from a "browsed" local path is totally different and is NOT exposed to any vulnerability...

Hrm...

I guess this is what confuses me...

Quote:
As a Proof of Concept here is a ready made JPG file: (Save target as) [ Only registered users can see links on this board! Get registered or login! ] . Upload this (from its current location, or your HTTP server) as an avatar to phpBB (or as I believe - any Bulletin Board system). In your avatar an invalid image (red X) will appear, but when you navigate to it's current location (e.g. [ Only registered users can see links on this board! Get registered or login! ] you will see an alert with your cookie.

The way I'm reading it, the perp has to UPLOAD the avatar to phpBB, but it doesn't work if they do it from their local machine (as you said). However, it DOES work if they UPLOAD it to phpBB from a remote HTTP server.

It's a subtle difference, but still requires uploading an avatar to phpBB, to my way of understanding... Wink
 
64bitguy







PostPosted: Tue Oct 25, 2005 12:40 am Reply with quote

Well, again.. that is why I said to disable that function which eliminates the vulnerability.
 
izone
Involved
Involved



Joined: Sep 07, 2004
Posts: 354
Location: Sweden

PostPosted: Tue Oct 25, 2005 2:38 pm Reply with quote

Talking about Exploit, I have seen this one against Weblinks and Downloads modules today. It will be great if you could say how to fix this one.
[ Only registered users can see links on this board! Get registered or login! ]

or how worried we should be about it?
 
View user's profile Send private message
evaders99
Former Moderator in Good Standing



Joined: Apr 30, 2004
Posts: 3221

PostPosted: Tue Oct 25, 2005 3:09 pm Reply with quote

I cannot exploit it in the latest Patched files. It looks fixed to me.

SecurityFocus really should put a link to the Patched files. I tried to email them once, but all I get was spam back.

_________________
- Star Wars Rebellion Network -

Need help? Nuke Patched Core, Coding Services, Webmaster Services 
View user's profile Send private message Visit poster's website
j_felosi







PostPosted: Tue Oct 25, 2005 6:58 pm Reply with quote

Im moderator at zone-h forum and publish news sometimes there. I have not linked the patch files for the new 7.8 exploit yet cause they say that its actually for 7.8 with all fixes. So in the matter of 7.7-7.9 exploits I just advise people to go to the patched 7.6 with NukeSentinel. If you get some free time Evaders, come check out zone-h.org in the forums where the public exploits are posted and perhaps leave a link or two to some fixes. I can also post the link to the fixes in the advisory section.
 
evaders99







PostPosted: Tue Oct 25, 2005 8:30 pm Reply with quote

It does depend on what fixes they are refering to. Is it just the one FB released... Obviously whatever "fixes" FB releases are not enough. Especially since FB doesn't go back to fix his packages. He just wants you to buy his latest untested release.

The Patched files fix this issue: [ Only registered users can see links on this board! Get registered or login! ]
And this issue if chatserv has updated the package download [ Only registered users can see links on this board! Get registered or login! ]
(See [ Only registered users can see links on this board! Get registered or login! ] )

---

To this exploit [ Only registered users can see links on this board! Get registered or login! ]
I'm sure its been Patched already.

And to this exploit [ Only registered users can see links on this board! Get registered or login! ]
I've been unable to use the script to exploit the Patched phpNuke system.
Web_Links and Downloads was the previous SecurityFocus one.
The Your_Account one, I've suggested changes to fix the potential vulnerablity, even if I cannot exploit it myself.


I don't see these on Zone-H.org - but I'll try to keep people updated with code changes to the latest Patched files. (Oh btw, where's your forums exactly? Can't seem to find it)
 
j_felosi







PostPosted: Tue Oct 25, 2005 9:46 pm Reply with quote

[ Only registered users can see links on this board! Get registered or login! ]

Ill ask the head admin if its ok to go ahead and post the fixes in the advisories but for now Ill post them in the forums. We get a lot of nuke users coming through but lately most have abandoned it. truth is sites like ours and securityfocus give nuke such a bad name, they tell people dont use it no matter what. And now you got people writing the exploits for the patched 7.7.-7.9 and then that looks even worse cause people think that since those are latter versions they must be more secure than the older ones. We know that is wrong but most people dont.
 
evaders99







PostPosted: Wed Oct 26, 2005 1:27 pm Reply with quote

Agreed - part of the problem is that people don't update their sites as they should. Most people only bother after they've been hacked.. a reactive response, rather than updating as a proactive measure.

Second, the Patched files need to be updated constantly, reliably. And needs to draw a bigger user base as the first thing to do after installing phpNuke. I'm trying some things on my site to draw attention to the changes, and get proper patches distributed. It updates packages from the CVS every 24 hrs, so people will always get the latest download. [ Only registered users can see links on this board! Get registered or login! ]

Do people need these individual fixes as code? Or can we just point them to the Patched files?
 
j_felosi







PostPosted: Wed Oct 26, 2005 2:33 pm Reply with quote

Ill just post a link or the code, it dont matter, we have already started this with linux, phpmyadmin, other cms, so might as well do all we can for nuke. I want to destroy the illusion of phpnuke being so insecure which I have in fact shown my 7.6 site is secure, but among the security community you say phpnuke and people automatically says dont do nuke, its so bad and all that. Like I said before people think cause there is so many exploits out for patched 7.8-.7.9 that all nuke must be even worse cause these are the latest versions. People have to realize you can have a secure nuke site but I always reccomend chatserv's 7.6, the one here with the patch files already done.
 
jaiib
New Member
New Member



Joined: Apr 06, 2007
Posts: 11
Location: India

PostPosted: Wed Nov 21, 2007 8:51 am Reply with quote

Dear Sir,

Our website [ Only registered users can see links on this board! Get registered or login! ] is hacked by some one,

They have change my admin password also,

How can I get our site as previous seen,

Plz urgent guide me,

how can I remove there banner in front of our website

They Have Written that Text in Our JAIIB SITE

*********************************************************

.....:.:.:.::::Razz::worship::N:::E::Very Happy:::::.:.:.:......

Pwned
Pnwed By Lucky & Brett
!!..Secure Your s**t..!!
Server security = %0
Secure Hosting = [ Only registered users can see links on this board! Get registered or login! ]


*********************************************************

Guide me How can I remove this and start as previous seen site

Thanks

http://www.jaiib.org/index.php

_________________
Best Regards


JAIIB TEAM 
View user's profile Send private message Visit poster's website
Raven







PostPosted: Wed Nov 21, 2007 9:16 am Reply with quote

Use phpMyAdmin and edit the CONFIG table. Look for the 3 footer fields. That's normally where they put this crap. Then, edit your USERS table and change your password. Be sure to select the MD5 encryption from the select box right beside where you type in your new password before saving. Then edit your AUTHORS table. Delete any admin record which is in there that doesn't belong. Then change your password the same way as you did your user name password. That should allow you to restore your site but it does nothing to stop them from doing it again unless they just happened to guess your id and password which is possible but unlikely.

If you do not have NukeSentinel(tm) installed I'd recommend getting it installed immediately. If you do not know how they broke in to your site then you will need to scour over your server access and error logs to try to figure it out.

What version of nuke are you using?
Is it up to the current patch level of 3.2 or 3.3?
What third party add-ons are you using?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©