SQL Injection Vulnerabilities!

Client Joined: Jan 29, 2004 Posts: 624

You did? O no...

New Member Joined: Jan 22, 2004 Posts: 6

Raven, I have a question for ya. Do all of these patches for vulnerabilities make their way back to phpnuke.org? I was curious about how all of this is tracked!

-David Smile

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Most issues surrounding security usually do but not the quick fixes, hacks, etc. There are some that seem to continually get passed by. As to the reason, I guess only the single developer, Francisco Burzi, would know.

Posted: Mon Feb 16, 2004 1:50 pm

Well that said, I have to thank you for all of the quick security fixes you guys have been making. It's a part of my daily ritual to get the latest at Raven PHP... Very Happy

Posted: Mon Feb 16, 2004 2:53 pm

And, without Chatserv to constantly be on the prowl, we all would be up that proverbial creek Wink

Hangin' Around Joined: Feb 20, 2004 Posts: 29

That's right! Chatserv deserves many donations to his karma account for his dedication! Smile

For those of you who care about the security of their PHP-Nuke and want to read more about, read the PHP-Nuke HOWTO, especially the chapter on Security.

Download the PHP-Nuke HOWTO in the format of your choice from the Formats section. Notice that there is a module version of it too, i.e. you can install the PHP-Nuke HOWTO as a PHP-Nuke module on your site.

Posted: Sat Feb 28, 2004 10:04 am

The bank account could use some donations too Razz

Thanks for the compliments. Wink

Posted: Mon Mar 01, 2004 7:44 pm

I've been finding when including a script (Like Raven's for instance hack.php).
When you don't want to use header location to redirect to the script. Its helpful to add something like chatservs message just above the include, before the exit or die function. This allows an instant of time to process the include before the exit or die command takes over.

In my case the include script grabs as much info as it can and dumps it into MySQL. So it needed this instant of time or the include failed.

If I do it the opposite the message after the include it fails too. (Strange)

Example:

Code:




if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) { 


                  echo "Go Play Somewhere Else!"; 


                  include("verify.php");


                


               exit; 


               }

And the DoS it with 10,000 requests to localhost wink* just kidding I'd never do a thing like that.

Posted: Mon Mar 01, 2004 8:26 pm

Have you tried the sleep() function [ Only registered users can see links on this board! Get registered or login! ] ?

Posted: Mon Mar 01, 2004 10:09 pm

Yeah, actually I didn't think of it but yeah that works slick since nothing is echo'd to the browser no need to flush().

I did some "eyeball" cpu monitering and the usuage in this fashion is conservative almost not worth noting.

Posted: Tue Mar 02, 2004 12:21 am

Raven wrote:

Have you tried the sleep() function [ Only registered users can see links on this board! Get registered or login! ] ?

A sleep function suggested by someone that is online 30 hours per day Shocked

Posted: Tue Mar 02, 2004 5:10 am

Hello pot? This is kettle. <MUHAHAHAHA> BTW, the new server is ordered Laughing

Hangin' Around Joined: Mar 19, 2004 Posts: 31

chatserv wrote:

Makes sense, in that case i'd make it:

Code:

if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) { 


echo "die"; 


exit; 


}

The only difference is that no file needs to be created.

When i put that code at the top of my mainfile.php and upload it i get errors on every page.

here is some of the error...

Code:

= explode(":", $user2); if($t_cookie[9]=="") $t_cookie[9]=$Default_Theme; if(isset($theme)) $t_cookie[9]=$theme; if(!$tfile=@opendir("themes/$t_cookie[9]"))

and it ends with

Code:

Fatal error: Call to undefined function: paid() in /home/virtual/site5/fst/var/www/html/banners.php on line 29

running 7.1 with 7.1patched installed. i got hacked today so i'm double checking everything. any ideas?

Posted: Fri Mar 19, 2004 12:15 pm

I just sent you a PM, but let's communicate here. If 7.1 patched did not stop the hack then there may be another hole. Check your logs and find what he did to get in. BTW, my alert code is not the same as what you quote here. In your PM you said you were using my alert script.

Posted: Fri Mar 19, 2004 12:32 pm

The line in PHP-Nuke Patched is not the one quoted either, it's:

Code:

if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: index.php");

Posted: Fri Mar 19, 2004 12:37 pm

Raven wrote:

In your PM you said you were using my alert script.

I get the error with both. I was trying your alert code first then the one from above. Same thing happens.

No error log in nuke installed so i can't get any logs for you.

Posted: Fri Mar 19, 2004 12:46 pm

On a side note here's a nice extra by DisgruntledTech

File: db/mysql.php
find:

Code:

if($query != "")

change to:

Code:

if($query != "" AND !stristr($query, "UNION"))

Posted: Fri Mar 19, 2004 12:47 pm

diabluntd wrote:

Raven wrote:

In your PM you said you were using my alert script.

I get the error with both. I was trying your alert code first then the one from above. Same thing happens.

No error log in nuke installed so i can't get any logs for you.

You need to look in your server access log.

Posted: Fri Mar 19, 2004 12:53 pm

diabluntd wrote:

No error log in nuke installed so i can't get any logs for you.

The log file in question is not part of Nuke, contact your webhost provider and request a copy of your site's access log.

Posted: Fri Mar 19, 2004 2:35 pm

chatserv wrote:

diabluntd wrote:

No error log in nuke installed so i can't get any logs for you.

The log file in question is not part of Nuke, contact your webhost provider and request a copy of your site's access log.

the guy just left work for now but i'll get it later. earlier he said there was nothing in the httpd log... not sure if it's a different log.

and chat, from what i read doesn't the fix from disgruntled leave the site open for a post/thread error if the word "union" is ever used?

thanks for responding. you guys rule.

Posted: Fri Mar 19, 2004 3:07 pm

The word union is not used in Nuke's core files so i guess that's what was taken into consideration when modifying the line, either way the same thing would happen with the line on mainfile.php since you most likely will have to include mainfile.php in any third party add-on so that it can grab Nuke's variables.

Posted: Fri Mar 19, 2004 4:06 pm

Actually I have to disagree here. DGT is filtering EVERY query to the database so you will have false positives. Union can very well be valid if you are writing queries to v4.x . The mainfile.php fix is looking for the word UNION in the URI query string, eg. GET, where it should never be.

Posted: Fri Mar 19, 2004 4:27 pm

Yep, but as i said by default Nuke does not use the term, either way there's more than enough to choose from and on my sites i'm using the hack alert script and building up a decent ip ban list, for some unknown reason Very Happy

my sites tend to get quite a few attacks. I have been using DGT's mod and so far no section has acted up, we'll see...

Posted: Fri Mar 19, 2004 8:05 pm

Might (BadWord?) check out the filter for pnAntiCracker. The cookie filtering is something no one has applied to PHPNuke as far as I know?

Bullet proof code would be light speed faster but... I know I'm not that cocky... YET.

Ooops forgot the url: [ Only registered users can see links on this board! Get registered or login! ]

Posted: Sat Mar 20, 2004 10:02 am

Actually that PN code was flakey the cvs was updated in cvs after that post with simpler checking.

What I get out of it is that the way to get around the filter is to pass an array of nasty code? Anyone?