Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
ballymuntrev
Hangin' Around


Joined: Mar 22, 2004
Posts: 49

PostPosted: Fri Mar 26, 2004 1:41 pm Reply with quote

ffs, another one ! I reckon the phpBB codeing group should employ chatserv and Raven to look over their code and improve *before* they ever release it.

Any idea's guys on how to fix it ?

Only registered users can see links on this board! Get registered or login!

That link is the direct link to the exploit.
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Fri Mar 26, 2004 1:54 pm Reply with quote

You know, this is pathetic. I'm sorry to be so harsh, but it is. Actually they should pass their code by the guy who wrote the exploit Evil or Very Mad
 
View user's profile Send private message
ballymuntrev
PostPosted: Fri Mar 26, 2004 2:11 pm Reply with quote

Here is the problem code of privmsg.php

EDIT: I'll just remove the code here that I entered, in case it confuses things Smile


Last edited by ballymuntrev on Fri Mar 26, 2004 2:25 pm; edited 1 time in total 
Raven
PostPosted: Fri Mar 26, 2004 2:14 pm Reply with quote

I've read the exploit and ultimately it's still the UNION exploit, if I read it correctly. The code isn't quoted properly.
 
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Fri Mar 26, 2004 2:39 pm Reply with quote

The hack alert script and similar protection lines block this attack, i assume one is to remove the . in $pm_sql_user .= " but i'll wait for phpBB group's reaction.

sigh
 
View user's profile Send private message Visit poster's website
Tank863
New Member
New Member


Joined: May 29, 2003
Posts: 16

PostPosted: Fri Mar 26, 2004 10:10 pm Reply with quote

I have tried this on my site...

Raven's Hack Alert stopped it and sent me an email.
Protector Stopped it and recorded it.
Admin Secure sent me an email and stopped it.

Good deal..

Tank863
 
View user's profile Send private message
Johan1982
New Member
New Member


Joined: Oct 23, 2003
Posts: 24

PostPosted: Fri Mar 26, 2004 11:26 pm Reply with quote

See this Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Johan1982
PostPosted: Fri Mar 26, 2004 11:58 pm Reply with quote

This I do not understand, privmsg.php comes as it says the patch Rolling Eyes Rolling Eyes
 
Johan1982
PostPosted: Sun Mar 28, 2004 8:43 pm Reply with quote

chatserv wrote:
The hack alert script and similar protection lines block this attack, i assume one is to remove the . in $pm_sql_user .= " but i'll wait for phpBB group's reaction.

sigh


Correct, check Only registered users can see links on this board! Get registered or login!

Remove the . .
 
chatserv
PostPosted: Sun Mar 28, 2004 11:43 pm Reply with quote

The current zip and the PHP-Nuke Patched version have it already removed, i took it off the day i posted that comment and since nothing seemed to break i went ahead and edited the file.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©