Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
hireamerica
Client


Joined: Sep 30, 2004
Posts: 103
Location: New Jersey

PostPosted: Mon Feb 27, 2006 10:25 am Reply with quote

Just noticed that the password is listed in plaintext, as well as MD5 and showing the Crypt Salt.

So incidentally, any hack able to select that information gets your admin and might be able to get other accounts (like email) if you double-use your password there.

The recent UNION exploits might be pulling that, FYI.

Anything we can do to shut down the plain text "password" column?

Incidentally, I changed my Admin password but it didn't change what is in this table (yet).
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message Visit poster's website Yahoo Messenger
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Mon Feb 27, 2006 10:45 am Reply with quote

Try doing a Scan For New Admins and see if it picks up your new password.
 
View user's profile Send private message
hireamerica
PostPosted: Mon Feb 27, 2006 10:55 am Reply with quote

It did not. Said the scan completed and then the Admin Auth list still shows the old.

Worrying that many of us have tried that CGI Auth and then maybe still use or just don't use anymore. The plaintext appearance of the password there worries me because of the UNION attacks.

If that password is still the password to the Admin....whoops!
 
Raven
PostPosted: Mon Feb 27, 2006 11:04 am Reply with quote

If you have changed from CGI to HTTPAuth, be sure to remove the path to .staccess in your Admin Panel.
 
hireamerica
PostPosted: Mon Feb 27, 2006 11:11 am Reply with quote

It's off for me...issue is that at HTTPAuth it's not recognizing my Admin password and .htaccess is set right. So I use neither Auth. But the Turkish hacker, if he got my password from clear text in the table got my email which had the same password. Doesn't now....
 
Raven
PostPosted: Mon Feb 27, 2006 11:15 am Reply with quote

Select HTTPAuth and delete the path to .staccess

Make sure that you are using the .htaccess that comes with a fresh install, ie, all the references to CGIAuth are commented out.

Use phpMyAdmin and delete all passwords in the nsnst_admin table. Then, just add the md5() pass.
 
hireamerica
PostPosted: Mon Feb 27, 2006 11:24 am Reply with quote

If you do that then HTTPAuth doesn't work again. I just get the normal Admin login even after clearing cache, cookies, etc.

NukeSentinal says in preferences: You MUST set ALL admin passwords before activating HTTPAuth or CGIAuth!

If I wipe the cleartext passwords in nuke_nsnst_admins, it knows it's blank and shows that msg instead of "Off, CGIAuth, HTTPAuth".
 
Raven
PostPosted: Mon Feb 27, 2006 11:30 am Reply with quote

Make sure that you are using the .htaccess that comes with a fresh install, ie, all the references to CGIAuth are commented out.

Delete the path to .staccess.

Use phpMyAdmin and delete the NukeSentinel admin record.

Run Scan for new admins.

Set the new password.

Select HTTPAuth.

Save.
 
hireamerica
PostPosted: Mon Feb 27, 2006 11:49 am Reply with quote

I'm doing all that...the issue is this:

When it's all working fine the vulnerability is still there: a UNION attack can do a simple select password from nuke_nsnst_authors and get it in plain text.

I'm not saying the HTTPAuth doesn't work (it does), I'm just concerned about that in light of the attack I had on my site.

I'm also just incidentally bringing up the fact that if you wipe out the clear text password column entry, then the HTTPAuth doesn't work.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©