Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
sixonetonoffun
Spouse Contemplates Divorce



Joined: Jan 02, 2003
Posts: 2496

PostPosted: Thu Apr 29, 2004 7:36 am Reply with quote

I don't know if it was the UT code or Fortress but I tried it on a test site and I couldn't post any News, Comments at all.

Anyone else seeing this? I haven't tried the original UT4 code by itself I guess I will try that next.
 
View user's profile Send private message
sixonetonoffun







PostPosted: Thu Apr 29, 2004 7:41 am Reply with quote

Well I went and checked the thread at NC it isn't just me Razz
 
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Thu Apr 29, 2004 7:52 am Reply with quote

Nope. It's buggy which is what we've come to expect from NC anymore. All I know is, is that I see nothing but other people's 'technology' in it. Even my hackalert script has been doing that for months. With the exception of the base64 code which still doesn't have an exploit that I'm aware of so I don't know what all the broohaha is about that. My hackalert script not only sends an email but it does the IP lookup for whois information. Another big claim is how the attacker won't even know he's been tracked. And that's important - why? Once again, my script will do that. Just comment out the code that displays the CAUGHT screen. Here's something else to consider. The code is stand-alone and read the license carefully. You can't even modify the code for your own purposes w/o written permission. P-L-E-A-S-E. He's done nothing but take other people's established and published code and restructured it. He's given it a name. And he's had to publish 2 fixes since it was announced late yesterday. The first was w/i minutes of the release. Oh well, let the lemmings follow. I actually think he got tired of even his own 'support' staff recommending my and chat's scripts in addition and/or instead of NC's. His ego couldn't handle it Laughing
 
View user's profile Send private message
sting
Involved
Involved



Joined: Sep 23, 2003
Posts: 456
Location: Somewhere out there...

PostPosted: Thu Apr 29, 2004 9:13 am Reply with quote

Quote:
With the exception of the base64 code which still doesn't have an exploit that I'm aware of so I don't know what all the broohaha is about that.


We had a couple of sites that were hacked where the hackers left a nice little message explaining why Hack Alert did not work to protect them. The idiots actually told us how they did it Laughing by informing us that we (at NC) were 'stupid' because they could just use the base64 code to do the same thing. I laughed at the irony of them calling us stupid.

Quote:
You can't even modify the code for your own purposes w/o written permission. P-L-E-A-S-E. He's done nothing but take other people's established and published code and restructured it. He's given it a name. And he's had to publish 2 fixes since it was announced late yesterday. The first was w/i minutes of the release. Oh well, let the lemmings follow.


You know what really gets me? The idea that NC is a free support site to the community. I don't know how much money any of you actually receive for housing these web sites. I know that with the bandwidth expenses I incur on smaller sites that actually do well, the expense has got to be up there. I commend both of you for giving out of pocket to better the community.

Zx has on more than one occasion, as have most people who are extremely active in the Open Source community, been burned by people taking an idea, a piece of code, or the entire thing and removed all trace of authorship. It sucks, and people react in different ways. Couple the expense, the frustration of feeling as though you have been taken advantage of, and add to it all of the HitsFan when NC was up and down for two weeks and you have the current state of affairs.

I was blown away by people who complained the loudest in the forums and yet were not offering any constructive or realistic suggestions on how to fix the problem.

But the thing that gets me even more is the fact that the community is now being dragged through this whole state of affairs.

So here is my open plea to both of you, which I will post at NC as well.

Raven: When I first got into Nuke, you were the one person at NC I could rely on for any question I had, whether you knew it or not. Your code, your experience, and your straight answers propelled me forward by leaps and bounds, and I respected you (and still do) in the community for it.

ZX: You provided the single best central location for me to find the answer to any question I had, and to date still do. Like Raven, your code, your experience, and straight answers have also gotten me to where I am, and I have a great deal of respect for you as well.

You guys are pillars in the nuke community (add Chatserv and a couple of others in there as well - not trying to leave anyone out) and I personally am very grateful for all you both have done.

I honestly don't give a care who writes better code, who has the bigger ego, or whose stuff is the best. I found it really intersting that among some of the NC power users out there, the hybrid code I put together from the both of you was accepted so readily as the code of choice.

PLEASE put this behind you. PLEASE carry on any grievances privately.
PLEASE quit publicly addressing/accusing/bashing/ whatever you want to call it/ one another. (No arguments on this - you both are guilty of at least one of those.) Its an election year. We will get PLENTY of that very soon.

For the sake of the community, for the sake of my sanity, for the sake of the code.

You can't see it, but you guys are a lot better working together (even if working individually together for the community) than you are alone.

Just my ridiculous thoughts.

-sting
 
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
Raven







PostPosted: Thu Apr 29, 2004 9:20 am Reply with quote

Sting wrote:
.... I don't know how much money any of you actually receive for housing these web sites...
I receive nothing and have always incurred the full cost. There are some who have given over the time that I have been here and I am thankful for all the support whether monetary or otherwise.
 
sixonetonoffun







PostPosted: Thu Apr 29, 2004 2:24 pm Reply with quote

Anyway I gave up on it I had others places to be this am.

But anyway what I saw was 96-98% cpu hang so I removed it to allow me to get on to other things. Restarted Apache after removing the code and all was well again.

I was planning on testing the base 64 code initially but I'll leave it until there is a more stable release to test with.
 
sixonetonoffun







PostPosted: Thu Apr 29, 2004 5:45 pm Reply with quote

I just downloaded the latest beta (Here I go beta testing again)

Results
It loads
it misses JTIwVU5JT04lMjA=
So either its broke or a myth that it catches base 64 encoding.
 
Raven







PostPosted: Thu Apr 29, 2004 5:47 pm Reply with quote

I should have copyrighted the $loc variable name. He didn't even bother to change it! Oh I know - that's just a coincidence. Any similarity to any code, dead or living, is strictly coincidence. But, as he said, he never cared to look at my code Laughing
 
sixonetonoffun







PostPosted: Thu Apr 29, 2004 7:20 pm Reply with quote

Funniest part is it don't work period this should never been released until it was working. Instead it was harolded as a great advance in internet security since the firewall. Pish-Posh shame on them. They fixed one bug with the title but it still puckers up and blows wind.

I'm really trying to be neutral and objective when testing this but OMG its a blunder from the get go. Take the extra 24 hours and fix the freakin thing instead of releasing another broken POS beta.
 
Maku
New Member
New Member



Joined: Sep 24, 2003
Posts: 15
Location: Estonia

PostPosted: Fri Apr 30, 2004 1:57 am Reply with quote

I have a solution for base64 exploit or i think so. waraxe who discovered this base64 exploit are writed to me a few days ago pm and asked are you like to secure your site and and posted code in pm:
Open your minefile.php and find:
Code:
if (!ini_get("register_globals")) { 

import_request_variables('GPC');
}

Add after below code:
Code:
//------------------------------------------------------------ 

// Smashing up the BroadCastMessage security bug...
if(isset($p_msg))
{
unset($p_msg);
}
//############################################################
//-- Cookie sanitize by Waraxe -------------------------------
if(isset($admin))
{
$admin = base64_decode($admin);
$admin = addslashes($admin);
$admin = base64_encode($admin);
}

if(isset($user))
{
$user = base64_decode($user);
$user = addslashes($user);
$user = base64_encode($user);
}
//############################################################

And he' s comment:
This code should fix this base64 problem (single quotes from base64 string). So you have now 100% secured site for base64 exploit.

I donĀ“t realy know are this code help or not, but i hope it help. Wink
 
View user's profile Send private message Visit poster's website MSN Messenger
Raven







PostPosted: Fri Apr 30, 2004 6:29 am Reply with quote

Maku,

Did he send you the exploit itself? I need to see how the exploit is used. When I researched it, I was unable to reproduce anything. Please PM me the exploit. Thanks.
 
Maku







PostPosted: Fri Apr 30, 2004 6:43 am Reply with quote

No he don't writed this part to me and i asked how i can test it or how i can be sure this code prodect me and he says this code work 100% and prodect you and base64 problems are history now.....thats it.
 
Raven







PostPosted: Fri Apr 30, 2004 6:47 am Reply with quote

I understand about the cleansing code and that's been published before. Please ask him to either send you the exploit info or contact me . Thanks!
 
sixonetonoffun







PostPosted: Fri Apr 30, 2004 6:51 am Reply with quote

Thanks for sharing Maku I hadn't seen this yet. Seems simple and effective. Common sense prevails. I wonder if $cookie should also be gleamed into that?
$cookie[0] = intval($cookie[0]);
$cookie[1] = check_html($cookie[1], nohtml);
This would protect a little in third party modules where we have no control over variable sanitization. Though I believe chatserv has provided simular patching in the core and default modules against this.

Comments?
 
chatserv
Member Emeritus



Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Fri Apr 30, 2004 7:45 am Reply with quote

Take a look at Nuke Patched's mainfile.php, i had suggested this one back in April 14, guess it had merit after all.
[ Only registered users can see links on this board! Get registered or login! ]
[ Only registered users can see links on this board! Get registered or login! ]
 
View user's profile Send private message Visit poster's website
sixonetonoffun







PostPosted: Fri Apr 30, 2004 8:05 am Reply with quote

So we can look for 2.3b for the patched series soon? wink*
 
sixonetonoffun







PostPosted: Fri Apr 30, 2004 8:11 am Reply with quote

Actually all my tests have been on 2.3 april 14 so I those fixes are there already I imagine? I never got around to testing the base 64 code after that initial post I tried the exploit posted and it failed guess thas why huh?
 
chatserv







PostPosted: Fri Apr 30, 2004 8:25 am Reply with quote

2.3 was updated with this code and a fix or 2 on the same day
 
sixonetonoffun







PostPosted: Fri Apr 30, 2004 8:38 am Reply with quote

Ok crystal clear.

Summary if you are running CS patched files 2.3 April 14 release. Your protected against the base 64 exploit. If your not running the patched series you should consider doing so for this and other reasons.

Which goes back to the topic of the UNION exploits if you are running the files above you need only to replace the UNION code at the top of the mainfile.php to reflect the comments /* exploit changes posted here: [ Only registered users can see links on this board! Get registered or login! ]

Leave Fortress alone until they have all the buggies worked out at least.
 
chatserv







PostPosted: Fri Apr 30, 2004 8:54 am Reply with quote

On that note if you are using the latest version of PHP-Nuke Patched do what i, combine it with HackAlert, simply open mainfile.php and find:
Code:
$checkdaurl = preg_replace("#(/\*.*\*/)#", "", $_SERVER["QUERY_STRING"]); //Courtesy of http://www.esnider.net 

if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: index.php");

Change to:
Code:
$checkdaurl = preg_replace("#(/\*.*\*/)#", "", $_SERVER["QUERY_STRING"]); //Courtesy of http://www.esnider.net 

if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: hackattempt.php?$loc");
 
sixonetonoffun







PostPosted: Fri Apr 30, 2004 9:08 am Reply with quote

roflmao so the front page should really read
Updated 4/28/2004
instead of
Updated 4/1/2004
 
chatserv







PostPosted: Fri Apr 30, 2004 9:20 am Reply with quote

Good point, i also think Raven needs to re-download them for the alternative links.
 
Raven







PostPosted: Fri Apr 30, 2004 9:56 am Reply with quote

I just added the alternate links this week so do they have everything they need or do i really need to redownload them?
 
chatserv







PostPosted: Fri Apr 30, 2004 10:07 am Reply with quote

Yes, i believe i applied some fix afterwards. Either way just to be sure...
 
chatserv







PostPosted: Fri Apr 30, 2004 10:10 am Reply with quote

Actually let me re-upload them as my local copy may be newer than the one on the server.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©