Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
hls-bill
New Member
New Member


Joined: Feb 14, 2007
Posts: 2

PostPosted: Tue Feb 20, 2007 1:12 pm Reply with quote

Only registered users can see links on this board! Get registered or login!

Any word on this one?


Kind Regards,

Bill
 
View user's profile Send private message
stefvar
New Member
New Member


Joined: Oct 30, 2005
Posts: 18

PostPosted: Tue Feb 20, 2007 3:48 pm Reply with quote

Hello,

Look at also this link :
Only registered users can see links on this board! Get registered or login! Wink

_________________
Stef and Co. Bénévolat sur mesure Wink
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Tue Feb 20, 2007 6:20 pm Reply with quote

Here is a quick fix for first exploit
Open includes/nukesentinel.php

Find:
Code:
// Load Blocker Arrays


Before add:
Code:
function nsnst_valid_ip ($ip) {

    return (preg_match('/^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/', $ip));
}


Find:
Code:
$ip = explode(".", $remoteip);


After add:
Code:
  if (!nsnst_valid_ip($remoteip)) {

     die('Access Denied');
  }


Find:
Code:
if(empty($template)) { $template = "abuse_default.tpl"; }


Before add:
Code:
if (!empty($template) && ereg('.php', $template)) $template = '';

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login!

Last edited by technocrat on Tue Feb 20, 2007 6:31 pm; edited 1 time in total 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Tue Feb 20, 2007 6:25 pm Reply with quote

I can confirm the developers are aware and working on a permanent fix.
 
View user's profile Send private message Send e-mail
technocrat
PostPosted: Tue Feb 20, 2007 6:30 pm Reply with quote

Actually you should probably strip out all the ips

Replace
Code:
if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['client_ip'])) {$nsnst_const['client_ip'] = "none"; }

if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['forward_ip'])) {$nsnst_const['forward_ip'] = "none"; }
if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['remote_ip'])) {$nsnst_const['remote_ip'] = "none"; }
if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['remote_addr'])) {$nsnst_const['remote_addr'] = "none"; }


With:
Code:
if (!nsnst_valid_ip($nsnst_const['client_ip'])) {$nsnst_const['client_ip'] = "none"; }

if (!nsnst_valid_ip($nsnst_const['forward_ip'])) {$nsnst_const['forward_ip'] = "none"; }
if (!nsnst_valid_ip($nsnst_const['remote_ip'])) {$nsnst_const['remote_ip'] = "none"; }
if (!nsnst_valid_ip($nsnst_const['remote_addr'])) {$nsnst_const['remote_addr'] = "none"; }


And then
Code:
if (!nsnst_valid_ip($remoteip)) {

     die('Access Denied');
  }


With:
Code:
  if (!nsnst_valid_ip($remoteip) && $remoteip != 'none') {

     die('Access Denied');
  }
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Tue Feb 20, 2007 10:15 pm Reply with quote

Really nice of these guys to have posted the exploit without first giving the author(s) of the tool a chance to prepare a fix. Unbelievable!!

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
montego
PostPosted: Tue Feb 20, 2007 10:37 pm Reply with quote

For the second one, in the meantime, I have placed the following in my includes directory:

Code:


<Files nsbypass.php>
   <Limit GET POST PUT>
      require valid-user
   </Limit>
      AuthName "Restricted for direct access"
      AuthType Basic
      AuthUserFile <<chg to full path to your .staccess file>>
</Files>


Figured this might help initially... I had done something similar awhile back for modules/Forums/admin when we were having all those direct attacks against it.
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Wed Feb 21, 2007 12:58 am Reply with quote

montego wrote:
Really nice of these guys to have posted the exploit without first giving the author(s) of the tool a chance to prepare a fix. Unbelievable!!


Always happens. You really have to wonder if they actually believe they are helping people. It will just be another exploit for script kiddies to use before everyone can upgrade their sites. Its sad that it will just lead to more exploited systems and not better security.

I really hate when it says "for educational purposes only" .. when it is obviously not designed to teach anyone, rather to be used in malicious attacks on innocent sites.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
stefvar
PostPosted: Wed Feb 21, 2007 2:02 am Reply with quote

Hello,

If my message could cause a gene, I am really sorry. It was absolutely not its goal. These problems having been diffused as a preliminary on several sites, I thought on the contrary that that will be able to help.
In the future, I will make in kind not announce this kind of information more.

Cordially
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Wed Feb 21, 2007 5:34 am Reply with quote

They are referring to the people who published the exploit, Stefvar. We definitely appreciate you letting us know!

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
stefvar
PostPosted: Wed Feb 21, 2007 5:42 am Reply with quote

Hello,

Thank you Kguske for the precision. I had not interpreted it thus. I have still enormous progress to make for the good comprehension of the English language Wink .
 
technocrat
PostPosted: Wed Feb 21, 2007 8:28 am Reply with quote

What's odd is this one came out of no where. I did not see it on any of the normal channels before it's release. Usually people are talking about it before hand.
 
FireATST
RavenNuke(tm) Development Team


Joined: Jun 12, 2004
Posts: 637
Location: Ohio

PostPosted: Wed Feb 21, 2007 3:23 pm Reply with quote

ty for posting the fix for it technocrat.... Cheers
 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
hls-bill
PostPosted: Wed Feb 21, 2007 5:15 pm Reply with quote

Seems the acid-root site went poof -- I will depoly the posted fixes this evening.. seems like PhP 5 took a hit today as well. Thanks for the replies on this. One thing that I would like to mention is. What is going on here with NukeSentiel if it was not deployed widely and affected so many --- no one would care if it was exploited. Please keep up the great work on this much needed tool to protect our sites.

Kind Regards,

Bill
 
montego
PostPosted: Wed Feb 21, 2007 6:00 pm Reply with quote

stefvar, yes, what Kguske said is what I was referring to. Please do not hesitate to let any of us know. Like technocrat said, this "came out of no where".

technocrat, were you actually successful in testing this exploit (actually "these")? I had issues last night with it, but will not mention any details here. Just curious if you had. Thanks.
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Wed Feb 21, 2007 6:04 pm Reply with quote

Could someone post complete fixes? I can't tell if Technocrat had changed his mind about his first set of fixes.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
evaders99
PostPosted: Wed Feb 21, 2007 7:11 pm Reply with quote

Yep stefvar, we were commenting on the group that released the exploit and how to use it. We definitely want people to come here and tell us if they notice such things!
 
FireATST
PostPosted: Wed Feb 21, 2007 7:31 pm Reply with quote

Montego, would you then be advising me to remove his fixes for now. I know you don't want to say what you had problems with, but is it worth me setting it back to the way it was? Guess I just assumed ( I know, I know....Smile ) that is was good to go.
 
montego
PostPosted: Thu Feb 22, 2007 5:33 am Reply with quote

Quote:

Montego, would you then be advising me to remove his fixes for now


No! Until this is confirmed by the developers and a fix is provided (if needed), there is no reason not to apply these temporary "patches".

Gremmie, Either set of "fixes" should be fine in the interim. Technocrat, in his second post, was just suggesting something a little better and possibly closer to a final fix.
 
technocrat
PostPosted: Thu Feb 22, 2007 7:50 am Reply with quote

Montego - Yes I did and it stopped it as far as I could tell. If you PM me or email me technocrat498 yahoo com I will look at what you found.
 
Gremmie
PostPosted: Fri Feb 23, 2007 5:38 pm Reply with quote

I have implemented these two fixes, and now two of my AOL users are seeing 'Access Denied'. Any ideas?
 
technocrat
PostPosted: Fri Feb 23, 2007 5:47 pm Reply with quote

Look through your Tracked IP for those users and see what their IPs are. I wonder if AOL is sending a blank IP.
 
Gremmie
PostPosted: Sat Feb 24, 2007 10:53 am Reply with quote

I didn't have IP tracking turned on, but I turned it on last night. I don't see anything out of the ordinary in the tracked IP listings.
 
Gremmie
PostPosted: Sun Feb 25, 2007 9:59 pm Reply with quote

Crap now I have a non-AOL user complaining about Access Denied. Is there another way to fix this? What is the first exploit doing? Thanks.
 
technocrat
PostPosted: Mon Feb 26, 2007 10:09 am Reply with quote

Try changing:
Code:
if (!nsnst_valid_ip($remoteip) && $remoteip != 'none') {


To:
Code:
if (!nsnst_valid_ip($remoteip) && $remoteip != 'none' && !empty($remoteip)) {
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©