SQL Injection Vulnerabilities!

Raven · Posted: Thu Feb 05, 2004 6:10 am

Sites are being exposed even as I write this! This is still in 7.0 and 7.1. Check your modules/Reviews/index.php file for the following code. There should be 2 instances.

WHERE id=$id

If you have it, then you MUST modify it to

WHERE id='$id' .

Otherwise your admin passwords can be exposed. They are still encrypted, but depending on how serious someone was to get them, they might! please note that Chatserv's Patches have this fix in them, but FB should have patched his releases by now and hasn't Evil or Very Mad

!

Raven · Posted: Thu Feb 05, 2004 6:13 am

This particular injection depends on MySQL v4.x being installed. V4.x allows for the sql UNION operator. In addition to Chat's fixes, you can add a line of code like this to the top of includes/my_header.php

Code:

if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: hack.php/");

Of cource hack.php could be any page you want. You could make it email you or whatever.

[Admin edit: mainfile.php is a better place for this code]

chatserv · Posted: Thu Feb 05, 2004 7:02 am

Or you can add to the top of header.php:

Code:

$checktheurl = $_SERVER['REQUEST_URI'];

if (preg_match("/UNION/", "$checktheurl")) {
echo "die";
exit;
}

[Admin edit: mainfile.php is a better place for this code]

Raven · Posted: Thu Feb 05, 2004 8:00 am

chatserv wrote:

Or you can add to the top of header.php:

Code:

$checktheurl = $_SERVER['REQUEST_URI'];

if (preg_match("/UNION/", "$checktheurl")) {
echo "die";
exit;
}

This way would kill a domain name that had 'union' in the name as well as 'union' as a parameter, I believe. That's why I opted for the other approach. I also am using this in my .htaccess

Code:

RewriteCond %{QUERY_STRING} "\%20union\%20select" [NC]
RewriteRule ^.*$ /hack.php/ [NC,L,R]

It seems to work in all my testing thus far.

chatserv · Posted: Thu Feb 05, 2004 8:09 am

Makes sense, in that case i'd make it:

Code:

if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) {
echo "die";
exit;
}

The only difference is that no file needs to be created.

wraith · Client Joined: Sep 13, 2003 Posts: 6

I have done "Security Advisory: PHP-Nuke Patched 2.1" by chatserv and SFP also by chatserv, both dated 2004-02-04.

Is this enough or do I need to do more?
And what ?

(running 6. Cool

luchtzak · New Member Joined: Jan 01, 2004 Posts: 3

chatserv wrote:

Makes sense, in that case i'd make it:

Code:

if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) {
echo "die";
exit;
}

The only difference is that no file needs to be created.

I applied this small patch, am I kinda safe now with this security-issue?

greetings,

Bart

chatserv · Posted: Thu Feb 05, 2004 11:31 am

Any of the variants detailed by Raven and myself will stop the attack that has been described in the past few days, of course it is always best to add validation to all variables and not just the ones that get hacked, Raven knows this has been done but we can't do anything about having them incorporated into the dev pack, some have been, with luck all others will be too.

chatserv · Posted: Thu Feb 05, 2004 11:34 am

wraith wrote:

I have done "Security Advisory: PHP-Nuke Patched 2.1" by chatserv and SFP also by chatserv, both dated 2004-02-04.

Is this enough or do I need to do more?
And what ?

(running 6. Cool

The sec-fix patches are designed to either fix bugs or patch vulnerabilities while altering the core files as little as possible, PHP-Nuke Patched on the other hand attempts to patch all likely vulnerabilities and changes the abstraction layer on all files to match the new one, if using PNP you don't need any of the sec-fix patches.

southern · Client Joined: Jan 29, 2004 Posts: 530 Location: Texas

Thanks Raven and chatserv, I put in the WHERE in modules/Reviews/index.php, the .htaccess and the my_header.php fixes and I just get the single word 'die' when I run the test

Only registered users can see links on this board!
Get registered or login to the forums!

How might I change this to a redirect to, say, the FBI site? Also does the %20 part affect the fixes?

Raven · Posted: Thu Feb 05, 2004 11:45 am

Chat's will display 'die'. Mine will redirect to wherever you want. The %20 is very important. It translates to a space.

southern · Client Joined: Jan 29, 2004 Posts: 530 Location: Texas

I changed the die to another message, but how do I redirect to some other site or have it email me? Is that in the .htaccess or in the my_header? Does the .htaccess conflict with chatserv's 'die', since the former calls a hack.php and the latter doesn't?

Raven · Posted: Thu Feb 05, 2004 1:31 pm

.htaccess is processed before it ever reaches your web page.

To redirect to another site, just replace hack.php with

Only registered users can see links on this board!
Get registered or login to the forums!

.

Here is the type of command you could use to email yourself

Code:

@mail('admin@yoursite.com', 'Hack Attempt', "$msg","From:

Only registered users can see links on this board!
Get registered or login to the forums!

") ;

I will be publishing more detail on the script I use a little later.

southern · Client Joined: Jan 29, 2004 Posts: 530 Location: Texas

Thanks Raven. Smile

Raven · Posted: Thu Feb 05, 2004 3:04 pm

It has been concluded that that mainfile.php is a better place for the code that we suggested in header.php. I have edited the other posts.

southern · Client Joined: Jan 29, 2004 Posts: 530 Location: Texas

Should the code be removed from my_header or does it matter?

Raven · Posted: Thu Feb 05, 2004 3:26 pm

It doesn't matter. I am leaving mine in in the event someone finds a mod that uses header and not mainfile. Probably won't happen and it is a few micro seconds of overhead.

blith · Posted: Thu Feb 05, 2004 3:31 pm

Where at in the mainfile should we put this. thanks.

Raven · Posted: Thu Feb 05, 2004 3:33 pm

Right after the <? tag

southern · Client Joined: Jan 29, 2004 Posts: 530 Location: Texas

Works in mainfile, too, though the 'scram, miscreant' I have lacks a certain... something...

Raven · Posted: Thu Feb 05, 2004 3:43 pm

Try the hack on my site and see if you like mine.

southern · Client Joined: Jan 29, 2004 Posts: 530 Location: Texas

Well, dang... I ne'er knew you felt that way about me. That's a bunch better than mine!

Raven · Posted: Thu Feb 05, 2004 4:12 pm

Try it again. Your attempt revealed a lookup issue in my code. It should be fixed now.

southern · Client Joined: Jan 29, 2004 Posts: 530 Location: Texas

OK.. port 4719... but I hope you aren't sending an email to the fbi with my info. Smile

Raven · Posted: Thu Feb 05, 2004 4:26 pm