| Author |
Message |
southern
Client
Joined: Jan 29, 2004
Posts: 579
Location: Texas
|
 Posted:
Thu Feb 05, 2004 4:27 pm |
 
|
|
 
|
|
chunk
New Member
Joined: Jan 22, 2004
Posts: 6
|
| Posted:
Mon Feb 16, 2004 11:06 am |
|
Raven, I have a question for ya. Do all of these patches for vulnerabilities make their way back to phpnuke.org? I was curious about how all of this is tracked!
-David  |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Mon Feb 16, 2004 11:52 am |
|
Most issues surrounding security usually do but not the quick fixes, hacks, etc. There are some that seem to continually get passed by. As to the reason, I guess only the single developer, Francisco Burzi, would know. |
|
|
 
|
|
chunk
New Member
Joined: Jan 22, 2004
Posts: 6
|
| Posted:
Mon Feb 16, 2004 1:50 pm |
|
Well that said, I have to thank you for all of the quick security fixes you guys have been making. It's a part of my daily ritual to get the latest at Raven PHP...  |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Mon Feb 16, 2004 2:53 pm |
|
And, without Chatserv to constantly be on the prowl, we all would be up that proverbial creek  |
|
|
|
|
|
karakas
Hangin' Around
Joined: Feb 20, 2004
Posts: 29
|
| Posted:
Sat Feb 28, 2004 7:09 am |
|
That's right! Chatserv deserves many donations to his karma account for his dedication!
For those of you who care about the security of their PHP-Nuke and want to read more about, read the , especially the chapter on .
Download the PHP-Nuke HOWTO in the format of your choice from the . Notice that there is a module version of it too, i.e. you can install the on your site. |
|
|
|
|
|
chatserv
The Mouse Is Extension Of Arm
Joined: May 02, 2003
Posts: 1396
Location: Puerto Rico
|
| Posted:
Sat Feb 28, 2004 10:04 am |
|
The bank account could use some donations too 
Thanks for the compliments. |
|
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2499
|
| Posted:
Mon Mar 01, 2004 7:44 pm |
|
I've been finding when including a script (Like Raven's for instance hack.php).
When you don't want to use header location to redirect to the script. Its helpful to add something like chatservs message just above the include, before the exit or die function. This allows an instant of time to process the include before the exit or die command takes over.
In my case the include script grabs as much info as it can and dumps it into MySQL. So it needed this instant of time or the include failed.
If I do it the opposite the message after the include it fails too. (Strange)
Example:
| Code: |
if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) {
echo "Go Play Somewhere Else!";
include("verify.php");
exit;
}
|
And the DoS it with 10,000 requests to localhost wink* just kidding I'd never do a thing like that. |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Mon Mar 01, 2004 8:26 pm |
|
Have you tried the sleep() function ? |
|
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2499
|
| Posted:
Mon Mar 01, 2004 10:09 pm |
|
Yeah, actually I didn't think of it but yeah that works slick since nothing is echo'd to the browser no need to flush().
I did some "eyeball" cpu monitering and the usuage in this fashion is conservative almost not worth noting. |
|
|
|
|
|
chatserv
The Mouse Is Extension Of Arm
Joined: May 02, 2003
Posts: 1396
Location: Puerto Rico
|
| Posted:
Tue Mar 02, 2004 12:21 am |
|
| Raven wrote: | | Have you tried the sleep() function ? |
A sleep function suggested by someone that is online 30 hours per day  |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Tue Mar 02, 2004 5:10 am |
|
Hello pot? This is kettle. <MUHAHAHAHA> BTW, the new server is ordered  |
|
|
|
|
|
diabluntd
Hangin' Around
Joined: Mar 19, 2004
Posts: 31
|
| Posted:
Fri Mar 19, 2004 12:08 pm |
|
| chatserv wrote: | Makes sense, in that case i'd make it:
| Code: | if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) {
echo "die";
exit;
} |
The only difference is that no file needs to be created. |
When i put that code at the top of my mainfile.php and upload it i get errors on every page.
here is some of the error...
| Code: | | = explode(":", $user2); if($t_cookie[9]=="") $t_cookie[9]=$Default_Theme; if(isset($theme)) $t_cookie[9]=$theme; if(!$tfile=@opendir("themes/$t_cookie[9]")) |
and it ends with
| Code: | | Fatal error: Call to undefined function: paid() in /home/virtual/site5/fst/var/www/html/banners.php on line 29 |
running 7.1 with 7.1patched installed. i got hacked today so i'm double checking everything. any ideas? |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Fri Mar 19, 2004 12:15 pm |
|
I just sent you a PM, but let's communicate here. If 7.1 patched did not stop the hack then there may be another hole. Check your logs and find what he did to get in. BTW, my alert code is not the same as what you quote here. In your PM you said you were using my alert script. |
|
|
|
|
|
chatserv
The Mouse Is Extension Of Arm
Joined: May 02, 2003
Posts: 1396
Location: Puerto Rico
|
| Posted:
Fri Mar 19, 2004 12:32 pm |
|
The line in PHP-Nuke Patched is not the one quoted either, it's:
| Code: | | if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: index.php"); |
|
|
|
|
|
|
diabluntd
Hangin' Around
Joined: Mar 19, 2004
Posts: 31
|
| Posted:
Fri Mar 19, 2004 12:37 pm |
|
| Raven wrote: | | In your PM you said you were using my alert script. |
I get the error with both. I was trying your alert code first then the one from above. Same thing happens.
No error log in nuke installed so i can't get any logs for you. |
|
|
|
|
|
chatserv
The Mouse Is Extension Of Arm
Joined: May 02, 2003
Posts: 1396
Location: Puerto Rico
|
| Posted:
Fri Mar 19, 2004 12:46 pm |
|
On a side note here's a nice extra by DisgruntledTech
File: db/mysql.php
find:
change to:
| Code: | | if($query != "" AND !stristr($query, "UNION")) |
|
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Fri Mar 19, 2004 12:47 pm |
|
| diabluntd wrote: | | Raven wrote: | | In your PM you said you were using my alert script. |
I get the error with both. I was trying your alert code first then the one from above. Same thing happens.
No error log in nuke installed so i can't get any logs for you. |
You need to look in your server access log. |
|
|
|
|
|
chatserv
The Mouse Is Extension Of Arm
Joined: May 02, 2003
Posts: 1396
Location: Puerto Rico
|
| Posted:
Fri Mar 19, 2004 12:53 pm |
|
| diabluntd wrote: | | No error log in nuke installed so i can't get any logs for you. |
The log file in question is not part of Nuke, contact your webhost provider and request a copy of your site's access log. |
|
|
|
|
|
diabluntd
Hangin' Around
Joined: Mar 19, 2004
Posts: 31
|
| Posted:
Fri Mar 19, 2004 2:35 pm |
|
| chatserv wrote: | | diabluntd wrote: | | No error log in nuke installed so i can't get any logs for you. |
The log file in question is not part of Nuke, contact your webhost provider and request a copy of your site's access log. |
the guy just left work for now but i'll get it later. earlier he said there was nothing in the httpd log... not sure if it's a different log.
and chat, from what i read doesn't the fix from disgruntled leave the site open for a post/thread error if the word "union" is ever used?
thanks for responding. you guys rule. |
|
|
|
|
|
chatserv
The Mouse Is Extension Of Arm
Joined: May 02, 2003
Posts: 1396
Location: Puerto Rico
|
| Posted:
Fri Mar 19, 2004 3:07 pm |
|
The word union is not used in Nuke's core files so i guess that's what was taken into consideration when modifying the line, either way the same thing would happen with the line on mainfile.php since you most likely will have to include mainfile.php in any third party add-on so that it can grab Nuke's variables. |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Fri Mar 19, 2004 4:06 pm |
|
Actually I have to disagree here. DGT is filtering EVERY query to the database so you will have false positives. Union can very well be valid if you are writing queries to v4.x . The mainfile.php fix is looking for the word UNION in the URI query string, eg. GET, where it should never be. |
|
|
|
|
|
chatserv
The Mouse Is Extension Of Arm
Joined: May 02, 2003
Posts: 1396
Location: Puerto Rico
|
| Posted:
Fri Mar 19, 2004 4:27 pm |
|
Yep, but as i said by default Nuke does not use the term, either way there's more than enough to choose from and on my sites i'm using the hack alert script and building up a decent ip ban list, for some unknown reason my sites tend to get quite a few attacks. I have been using DGT's mod and so far no section has acted up, we'll see... |
|
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2499
|
| Posted:
Fri Mar 19, 2004 8:05 pm |
|
Might (BadWord?) check out the filter for pnAntiCracker. The cookie filtering is something no one has applied to PHPNuke as far as I know?
Bullet proof code would be light speed faster but... I know I'm not that cocky... YET.
Ooops forgot the url:
|
|
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2499
|
| Posted:
Sat Mar 20, 2004 10:02 am |
|
Actually that PN code was flakey the cvs was updated in cvs after that post with simpler checking.
What I get out of it is that the way to get around the filter is to pass an array of nasty code? Anyone? |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
