Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Tue Dec 13, 2005 11:30 pm Reply with quote

Nuke Platinum sites and regular phpnuke site are being exploited with a variation of an old exploit that was fixed in Patch Level 3.x and possibly even 2.9. Using a specially crafted url and the UNION modifier, your admin password, in md5 hashed code, can be exposed. The fact that many people use common dictionary words, this information can be used to easily get admin access to your site.

Now for this to happen, you would need to be running a version of phpnuke that is not patched current. NukeSentinel(tm) becomes an accomplice to this because the URL was bypassing the filters in NukeSentinel(tm). Actually, the filters are in there, they just weren't working correctly. With the following fix you should not have to worry. It should also be noted that if you are using NukeSentinel's Admin Auth protection and you have taken our advice and not kept the passwords the same, even if they guess your nuke password they still can't get past NukeSentinel(tm). That's a safety net but not the full soultion.

I've tested this and it should close many holes that the kiddies never spotted Wink. I am posting it here and in a separate post of its own. My thanks to Technocrat for staying on my case about this Cheers

Edit includes/nukesentinel.php file,

FIND
function st_clean_string($cleanstring) {

AFTER ADD
$cleanstring = str_replace($cleanstring,strtoupper($cleanstring),$cleanstring);

Should Now Look Like
function st_clean_string($cleanstring) {
$cleanstring = str_replace($cleanstring,strtoupper($cleanstring),$cleanstring);


Please note that users of RavenNuke76 are not affected by this Smile
 
View user's profile Send private message
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Wed Dec 14, 2005 1:30 am Reply with quote

Thanks, Raven! You're doing a great job!

It's odd how these security issues always comes in spurts, no?

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Wed Dec 14, 2005 5:08 am Reply with quote

lol...it never ends huh...
but ehh...c'mon guys...dont think that everybody is going to update with the 3.1 patch....
i think it would be wise to publish the vunerable parts that should be checked/patched...
the majority of what i know isnt on the 3.1,but non of them were ever hacked also...
thing also is that using the 3.1 chances are parts of your site wont be functional anymore....
so i think that publishing the few checkup steps would be helpfull to many...
and if not,then they will end up here with a hacked site...
 
View user's profile Send private message
AFaisal
New Member
New Member


Joined: Nov 07, 2002
Posts: 2

PostPosted: Wed Dec 14, 2005 5:40 am Reply with quote

Hi,

I want to get help from you. My site using php-nuke 7.9 patch 3.1 and Nukesentinel 2.4.2. I just want to make sure that my site is secure, so please let me know if you can exploit my site. Only registered users can see links on this board! Get registered or login!

Regards,
AFaisal
 
View user's profile Send private message
Raven
PostPosted: Wed Dec 14, 2005 8:25 am Reply with quote

hitwalker wrote:
lol...it never ends huh...
but ehh...c'mon guys...dont think that everybody is going to update with the 3.1 patch....
i think it would be wise to publish the vunerable parts that should be checked/patched...
the majority of what i know isnt on the 3.1,but non of them were ever hacked also...
thing also is that using the 3.1 chances are parts of your site wont be functional anymore....
so i think that publishing the few checkup steps would be helpfull to many...
and if not,then they will end up here with a hacked site...
that's why I published the fix Wink
 
Raven
PostPosted: Wed Dec 14, 2005 8:26 am Reply with quote

AFaisal wrote:
Hi,

I want to get help from you. My site using php-nuke 7.9 patch 3.1 and Nukesentinel 2.4.2. I just want to make sure that my site is secure, so please let me know if you can exploit my site. Only registered users can see links on this board! Get registered or login!

Regards,
AFaisal

I do not offer that 'service'. You can find all the hacks you need to test on your own by googling Smile
 
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Wed Dec 14, 2005 10:24 am Reply with quote

AFaisal - Applying the patch above and what you have now "should" stop most current hacks and the ones that I am watching the script kiddies mess with. Who knows what tomorrow might bring. Sad

Raven - I am glad we could agree finally Smile I think its better for everyone

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
diyadin2
New Member
New Member


Joined: Dec 25, 2004
Posts: 1

PostPosted: Wed Dec 14, 2005 10:34 am Reply with quote

Thanks Raven
 
View user's profile Send private message
Mojo742
New Member
New Member


Joined: Nov 03, 2005
Posts: 6

PostPosted: Wed Dec 14, 2005 8:46 pm Reply with quote

I am looking to patch my site to 3.1... will i have to add the file edits for NukeSentinel again after that?
 
View user's profile Send private message
AFaisal
PostPosted: Wed Dec 14, 2005 9:18 pm Reply with quote

I have add line above in includes/nukesentinel.php.
Can someone PM me how to test injection my site ? I think this is funny if I asked you. I am not programmer, I am only user.
 
Raven
PostPosted: Wed Dec 14, 2005 9:31 pm Reply with quote

Only registered users can see links on this board! Get registered or login!
 
VinDSL
PostPosted: Thu Dec 15, 2005 3:17 am Reply with quote

Raven wrote:
http://www.zone-h.org/en/advisories/read/id=8510/

If you'll pardon the pun: "Oh, what a tangled *web* we weave, when first we practice to decieve."

Ever heard the rarely mentioned second line? "But my how we improve the score, as we practice more and more." ROTFL
 
Raven
PostPosted: Thu Dec 15, 2005 4:19 am Reply with quote

How true -- how true. I have to commend felosi for his quick reaction to my response. See Only registered users can see links on this board! Get registered or login!
 
SpaceMonkey
Worker
Worker


Joined: Apr 30, 2005
Posts: 170

PostPosted: Thu Dec 15, 2005 5:49 am Reply with quote

Can anyone let me know the dates that the various patches have been released? I've updated a couple of times...

How can I tell what version I'm running?
 
View user's profile Send private message Visit poster's website
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Thu Dec 15, 2005 10:18 am Reply with quote

12/07/04 - Version 2.8
02/15/05 - Version 2.9
04/29/05 - Version 3.0
06/24/05 - Version 3.0 For PHP-Nuke 7.8
07/28/05 - Version 3.1

3.1 had a few changes done to it shortly after it was released, if you downloaded it in the past two months then you have the latest version that is available for downloading.
 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Sun Dec 18, 2005 12:32 am Reply with quote

UPDATE: The previous fix works but it was causing some links in the admin screen to not function correctly (see Only registered users can see links on this board! Get registered or login! ). So, here is yet another, not so elegant, fix that should make all yhings well again Wink

Edit includes/nukesentinel.php file

FIND AND REPLACE THIS ENTIRE FUNCTION (UPDATED 12/18/2005
Code:
function st_clean_string($cleanstring) {}


WITH THIS

Code:
function st_clean_string($cleanstring) {

  $st_fr1 = array("%00", "%01", "%02", "%03", "%04", "%05", "%06", "%07", "%08", "%09", "%10", "%11", "%12", "%13", "%14", "%15", "%16", "%17", "%18", "%19", "%20", "%21", "%22", "%23", "%24", "%25", "%26", "%27", "%28", "%29", "%30", "%31", "%32", "%33", "%34", "%35", "%36", "%37", "%38", "%39", "%40", "%41", "%42", "%43", "%44", "%45", "%46", "%47", "%48", "%49", "%50", "%51", "%52", "%53", "%54", "%55", "%56", "%57", "%58", "%59", "%60", "%61", "%62", "%63", "%64", "%65", "%66", "%67", "%68", "%69", "%70", "%71", "%72", "%73", "%74", "%75", "%76", "%77", "%78", "%79");

  $st_to1 = array("", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", " ", "!", "\"", "#", "$", "%", "&", "'", "(", ")", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "@", "A", "B", "C", "D", "E", "F", "G", "H", "I", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "`", "a", "b", "c", "d", "e", "f", "g", "h", "i", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y");

  $st_fr2 = array("%0A", "%0B", "%0C", "%0D", "%0E", "%0F", "%1A", "%1B", "%1C", "%1D", "%1E", "%1F", "%2A", "%2B", "%2C", "%2D", "%2E", "%2F", "%3A", "%3B", "%3C", "%3D", "%3E", "%3F", "%4A", "%4B", "%4C", "%4D", "%4E", "%4F", "%5A", "%5B", "%5C", "%5D", "%5E", "%5F", "%6A", "%6B", "%6C", "%6D", "%6E", "%6F", "%7A", "%7B", "%7C", "%7D", "%7E", "%7F", "%0a", "%0b", "%0c", "%0d", "%0e", "%0f", "%1a", "%1b", "%1c", "%1d", "%1e", "%1f", "%2a", "%2b", "%2c", "%2d", "%2e", "%2f", "%3a", "%3b", "%3c", "%3d", "%3e", "%3f", "%4a", "%4b", "%4c", "%4d", "%4e", "%4f", "%5a", "%5b", "%5c", "%5d", "%5e", "%5f", "%6a", "%6b", "%6c", "%6d", "%6e", "%6f", "%7a", "%7b", "%7c", "%7d", "%7e", "%7f");

  $st_to2 = array("", "", "", "", "", "", "", "", "", "", "", "", "*", "+", ",", "-", ".", "/", ":", ";", "<", "=", ">", "?", "J", "K", "L", "M", "N", "O", "Z", "[", "\\", "]", "^", "_", "j", "k", "l", "m", "n", "o", "z", "{", "|", "}", "~", "", "", "", "", "", "", "", "", "", "", "", "", "", "*", "+", ",", "-", ".", "/", ":", ";", "<", "=", ">", "?", "J", "K", "L", "M", "N", "O", "Z", "[", "\\", "]", "^", "_", "j", "k", "l", "m", "n", "o", "z", "{", "|", "}", "~", "");

  $cleanstring = str_replace($st_fr1, $st_to1, $cleanstring);
  $cleanstring = str_replace($st_fr2, $st_to2, $cleanstring);
  return $cleanstring;
}
 
phoenix-cms
Worker
Worker


Joined: Aug 05, 2005
Posts: 139

PostPosted: Sat Dec 24, 2005 3:32 am Reply with quote

after looking into this my phpnuke that i building code name phoenix
uses that same search module from nukestyles and phpnuke 7.9 filter does not seem to be affected.

maybe the filter code be backported into patched?

_________________
Evo 3.0 Developer & nukecops.com Admin
Image
coming soon Only registered users can see links on this board! Get registered or login! Smile 
View user's profile Send private message Send e-mail
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Sat Dec 24, 2005 9:04 am Reply with quote

VinDSL wrote:
Thanks, Raven! You're doing a great job!

It's odd how these security issues always comes in spurts, no?

Probably ties in with school holidays lmao
 
View user's profile Send private message Send e-mail
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©