A quick Google search uncovered the explanation below from the PHP-Nuke website itself (unnecessary portions have been removed). The type of attack described below would be very difficult and time consuming - there are much easier ways to achieve those results. Though there may still be issues with specific modules that do not use standard database access methods, using a security tool like NukeSentinel with HTTP Admin Authentication will significantly help prevent attacks and attempts to gain unauthorized access.
From PHP-Nuke.org:
"In an attempt to prevent scripted bots from either generating new user accounts or attempting brute force password cracking against PHP-Nuke portals, the security graphic had been added.
The process begins within the PHP code to generate a random number. That number is then stored in a URL that is resent to the security image creation engine as the login page is being generated:
The security graphic engine takes the random number and makes an MD5 encryption of it concatenated with other elements such as the $sitekey, $datekey, and the member's http_user_agent.
At this point the MD5 hash value is switched over to hexadecimal and stored in a variable whereby at a certain starting point (2 by default) a total of x places are read and stored (by default 6).
A potential security risk exists if the default $sitekey value is not changed because a malicious user can manually map out on a PHP-Nuke portal in a one to one relationship between random_num and the number shown in the image. So long as the following values do not change:
The number shown back in the security image will always be the same. Such a mapping would be tedious to complete manually, but the possibility exists nonetheless.
Out of the four variables above, the user can manipulate only two:
# $random_num
# $HTTP_USER_AGENT
This effectively means that the entire process of mapping out the one to one relationship must occur in a single day due to the $datekey parameter. Each day adds a new value to the hexadecimal/MD5 concatenation process.
Lets take this a step further. If a PHP-Nuke webmaster does not change their default $sitekey parameter this could still open them up to attack. A malicious user may install a default PHP-Nuke portal on their own system and now they have access to manipulate all of the four variables above.
This means they can change the date on their system, altering the $datekey to each day of the year, and manually map out all the random_num values to their respective security image code values. At this point, they have a full database for every day of the year that can be used maliciously against default $sitekey value PHP-Nuke sites. With such data, a script can be written to check the random_num value, ie:
md5 is simply an encryption system - input any string of text and get back a 16 character version of it . Generally used for password encryption but as shown in the post above, it has many other uses.
Example use: When you sign up on a PHP-Nuke site your password is encrypted with md5 and that is what is stored in the database, not your actual plain text password. When you next log in, the password you type into the login box is encrypted with md5 and then checked against the one stored in the database - if they match your in.
Having your md5'ed password will not allow them access unless they can actually work out what the password is by brute force - if you avoid using dictionary words and instead use a combination of letters, numbers & symbols for your password (the longer the better), it is highly unlikely that you will ever be comprimised.
View next topic View previous topic
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
