Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Sat Mar 20, 2004 10:23 am Reply with quote

sixonetonoffun wrote:
Actually that PN code was flakey the cvs was updated in cvs after that post with simpler checking.

What I get out of it is that the way to get around the filter is to pass an array of nasty code? Anyone?
I looked at that code yesterday after you posted it and it seems as if it's just an extension of the mainfile.php code that comes with nuke. I'm not knocking it. I'm just saying that it further refines what is there, which would be a good thing. But (there always is a but) that so restricts even the webmaster when he is trying to write his own articles and such. That approach to SQL injections and XSS attacks will take so much maintenance and you end up having to be a regex guru to code it and maintain it. I truly believe that the better approach is to encapsulate the SQL activities and by using add and strip slashes you will get a 99%, if not higher, success rate.
 
View user's profile Send private message
sixonetonoffun
Spouse Contemplates Divorce



Joined: Jan 02, 2003
Posts: 2496

PostPosted: Sat Mar 20, 2004 10:57 am Reply with quote

It seems best for logging attack attempts and as a catch all against any variables not protected like you say. I really think that the performance hit it gives, if implemented it should be able to be switched off/on as a config option. (Like PN has done). Of course then one has to explain what it try's to do in the documentation.
 
View user's profile Send private message
midigod
New Member
New Member



Joined: Mar 21, 2004
Posts: 15

PostPosted: Sun Mar 21, 2004 8:01 pm Reply with quote

Raven wrote:
Sites are being exposed even as I write this! This is still in 7.0 and 7.1. Check your modules/Reviews/index.php file for the following code. There should be 2 instances.

WHERE id=$id

If you have it, then you MUST modify it to

WHERE id='$id' .


Are you including the DOT in this ?
and does it go before the double quote then which exists already?
 
View user's profile Send private message
midigod







PostPosted: Sun Mar 21, 2004 8:14 pm Reply with quote

Can I suggest something ....

I am not very technical Wink
So following these scripting debates leaves me confused.
I'm the Homer Simpson of scripting Embarassed

Is there any chance that once the security fix suggestions have been "agreed" and "tested" that there could be a CENTRAL definitive list of security fixes to apply ??

And I don't mean a growing list of "no, now do this" updates - but a single answer for each patch. If the patch changes - the old one should be removed. (obviously it would be good to have an addendum if a patch needs to be reversed - if you see what I mean).

This would be SO helpful !!
I can't rely on spotting every fix you suggest, especially when it's interjected with debate.

Obviously we all have a vested interest in security so a central list would truly be great IMHO.

Are there other majpor ones? I heard one about the search fixed in 7.2 whcih suddenly seems to be a premium club offer.
Poor for secuirty fixes don't you htink ? How would I do that for 7.0.

And how come the author (FB) isn't leading these security fixes ?

JMTCW.
 
Raven







PostPosted: Sun Mar 21, 2004 9:23 pm Reply with quote

midigod wrote:
Raven wrote:
Sites are being exposed even as I write this! This is still in 7.0 and 7.1. Check your modules/Reviews/index.php file for the following code. There should be 2 instances.

WHERE id=$id

If you have it, then you MUST modify it to

WHERE id='$id' .


Are you including the DOT in this ?
and does it go before the double quote then which exists already?
No on the dot. Take it literally. Find the 2 instances of
Code:
WHERE id=$id
and modify it to
Code:
WHERE id='$id'

It matters not what is before or after it.
 
Raven







PostPosted: Sun Mar 21, 2004 9:26 pm Reply with quote

midigod wrote:
And how come the author (FB) isn't leading these security fixes ?
Now there's a novel idea Laughing (no offense to you). Quite frankly, FB (the present keeper of the code - by far not the author) could care less. Read other threads here that will tell the history and the story. JMTCW.
 
midigod







PostPosted: Mon Mar 22, 2004 8:32 am Reply with quote

Shorter version as quick reply lost my message Sad

Sorry to hear that the keeper is ......

How about a Raven premier club - although US$20 PA than PM Sad

No guarantess of course.
Just even that central list of security fixes (one answer only plus a history for reverse patching if necessary) would make it worth it.

If the "keeper" is complacent/overworked then in true GNU style someone should erm. help him.

My situation is typical.
Installed 7.0 last week.
Now have to subscribe to get security fixes in 7.2 ?!?!?
New to PHP and SQL. No idea what I'm doing, let alone rectifying others work.

Real shame if we let saddos attack and corrupt Nuke sites, with all the love and hard work which goes in to configuring and maintaining them (let alone hosting costs).

I appreciate your are all doing way more than your bit already, but with a little infrastructure .......
 
Raven







PostPosted: Mon Mar 22, 2004 8:40 am Reply with quote

7.2 is available here for free. Also, any and all of Chatserv's fixes are always posted here as they become available.
 
southern
Client



Joined: Jan 29, 2004
Posts: 624

PostPosted: Mon Mar 22, 2004 8:51 am Reply with quote

The 'keeper' is underworked by his own choice. Don't worry too much about the security issues, midigod, 'cause with 7.0 you already have better security than older versions. Do a little browsin' around the topics here and on other nuke sites, and you'll find everything you need to allay your worries and you'll learn quite a bit, too. Smile. Keep in mind, though, that the baddies will always find something to exploit, so there will never be a 100% secure web portal. That, to moi, is part of the fun of nuke.

_________________
Computer Science is no more about computers than astronomy is about telescopes.
- E. W. Dijkstra 
View user's profile Send private message
southern







PostPosted: Mon Mar 22, 2004 8:54 am Reply with quote

Hi there, Raven, and good mornin' Smile
 
midigod







PostPosted: Mon Mar 22, 2004 10:55 am Reply with quote

Thanks Southernand Raven,
I've installed 7.2 and it seems to hhave the fixes I was aware of

(search, where=id and the database FAQ capitalisation error/fix/error)

So in 7.2 specifically, are there any major secuirty issues outstanding, or do I have a clean slate for today ?

I will deploy the congif.php include path measure.
MySQL is old (3.5) so I presume I don't need the anti hacking script, or do I have other problems ?

Cheers.
 
southern







PostPosted: Mon Mar 22, 2004 11:35 am Reply with quote

I'll defer to Raven on whether 7.2 has any security issues you don't know about. But I'd not worry too much if I had that version. Even my 6.9 is pretty secure using the fixes Raven, chatserv and other paramount PHPers have submitted to the nuke community, and it'll be a while before the general run of the mill script kiddies find out from better minds how to attempt exploits...wanna be hackers tend to be lazy and take the easiest way, like water, and if there isn't an easiest way but only a choice of hard and hard they are generally deterred, which is the purpose of security patches. So I'd guess you're safe for today. Smile
 
Lateron
Worker
Worker



Joined: May 10, 2003
Posts: 119
Location: Katoomba, NSW, Australia.

PostPosted: Tue Mar 23, 2004 12:31 am Reply with quote

Has anyone seen this thread at Nukecops yet?

http://nukecops.com/postlite25444-.html

If true, this is getting beyond a joke!
 
View user's profile Send private message Visit poster's website
Lateron







PostPosted: Tue Mar 23, 2004 12:51 am Reply with quote

Here's another that's come up today :

http://www.nukecops.com/article-1793-nested-0-0.html

I may sound as though I am panicking but I've lost track of what I have and haven't patched! I feel I should build another site from scratch once all these fixes have been finalised.

I have also visited a lot of hacked sites this week and they haven't been pretty sights (no pun intended). Sad
 
chatserv
Member Emeritus



Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Tue Mar 23, 2004 1:36 am Reply with quote

[ Only registered users can see links on this board! Get registered or login! ]
 
View user's profile Send private message Visit poster's website
Tank863
New Member
New Member



Joined: May 29, 2003
Posts: 16

PostPosted: Tue Mar 23, 2004 10:26 pm Reply with quote

chatserv

have you checked out admin secure from [ Only registered users can see links on this board! Get registered or login! ]

If so what do you think? If not could you?

Tank863

Description:
Admin Secure is an add-on script (not a module, block, nor else) for PHP-Nuke web portal system. This add-on gives you additional protection scheme for admin accounts from hacking activities and perform filtering to input variables from possible hacking attempts. This add-on does not prevent another hacking methods such as DoS (denial of service), hammering, session spoofing, backdoors, port scanning, system exploit, root access, etc. Admin Secure will monitoring suspicious SQL Injection activities as well as illegal administration access for your PHP-Nuke based website.

Features: • Blocking SQL Injection through input requests.
• Prevent illegal admin account access through input requests.
• Blocking external file inclusion for modules.php and index.php files.
• Filtering illegal scripting code from input variables.
• Ensuring admin account session taken from cookie.
• Prevent illegal admin account creation, deletion, and modification.
• Compare admin access validity through "mirrored" database table.
• Any changes on admin accounts (create, edit, delete) require approval.
• E-mail notification. An alert sent along with additional info.
• Scheduled automation tasks.
• Banning System. (Site and Modules)
• Site Activity Logging.
• Flood Protection.
• And more.

Changes On This Version: • Add: Banning System (IP Address)
• Add: Module Access Banning System (IP Address and Site Member)
• Add: Auto Ban for known security breach
• Add: Session Activity Logging
• Add: Flood Protection
• Add: Support older PHP-Nuke database manager (prior 6.5)
• Add: Blocking external file inclusion through index.php
• Add: Checking dangerous user registration fields (name, password, etc)
• Fix: Sending continuous notification when an admin account changed
• Fix: Floatval() issue with Server running PHP below 4.2.0
 
View user's profile Send private message
luchtzak
New Member
New Member



Joined: Jan 01, 2004
Posts: 3

PostPosted: Wed Mar 24, 2004 6:32 am Reply with quote

chatserv wrote:
http://www.ravenphpscripts.com/article-305--0-0.html


Thanks for sending this issue via a newsletter! Otherwise I would have seen it many hours later (maybe days)

greetz,

Bart
 
View user's profile Send private message
Rikk03
Worker
Worker



Joined: Feb 16, 2004
Posts: 164

PostPosted: Sun May 02, 2004 7:07 am Reply with quote

Coppermine 1.2x security exploits patches - mentioned in the news ........where can i find the patches........it does not say in the post......it just tells you where the exploits are.
 
View user's profile Send private message
sixonetonoffun







PostPosted: Sun May 02, 2004 7:31 am Reply with quote

[ Only registered users can see links on this board! Get registered or login! ]
 
Rikk03







PostPosted: Sun May 02, 2004 10:28 am Reply with quote

thx
 
ladysilver
Hangin' Around



Joined: May 03, 2004
Posts: 49
Location: Cyberspace

PostPosted: Wed May 05, 2004 4:45 pm Reply with quote

Checking my newsfeeds, I saw a new post from Waraxe here:
[ Only registered users can see links on this board! Get registered or login! ]

Not sure how valid these are. I've been going down the list and I've not had a problem yet (doesn't mean I won't, just haven't had one yet).

A1 just gave me an error page.
B1 just gave me an error page.
C1 gave me "improper request".
C3 gave me "HTML tags not allowed".

Have not tried A, B, C yet. There is no C2 on the list.

Anybody else tried these? What were your results?
 
View user's profile Send private message Visit poster's website ICQ Number
Raven







PostPosted: Wed May 05, 2004 7:30 pm Reply with quote

[ Only registered users can see links on this board! Get registered or login! ]
 
sixonetonoffun







PostPosted: Wed May 05, 2004 8:10 pm Reply with quote

Here is his sumary [ Only registered users can see links on this board! Get registered or login! ]

This one seems get through the latest patched files. Reveals admin password hash.
 
chatserv







PostPosted: Wed May 05, 2004 8:22 pm Reply with quote

After patching the file that code turns into sid=1 or sid=2
 
Raven







PostPosted: Wed May 05, 2004 8:25 pm Reply with quote

I can't find this code to change in 6.9
Code:
Find:" 

Code:
    $result=$db->sql_query("SELECT lid, url, title, description, date, hits, downloadratingsummary, totalvotes, totalcomments, filesize, version, homepage FROM ".$prefix."_downloads_downloads WHERE sid=$sid order by $orderby limit $min,$perpage");

Change to:
Code:
    $result=$db->sql_query("SELECT lid, url, title, description, date, hits, downloadratingsummary, totalvotes, totalcomments, filesize, version, homepage FROM ".$prefix."_downloads_downloads WHERE sid='$sid' order by $orderby limit $min,$perpage");
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©