XSS exploit still active with Sentinel 2.0.2

Posted: Fri Sep 17, 2004 9:02 am

Hi,

If you see JackFromWales4u2 in your member account list REMOVE it, it places ads on your site. Evil or Very Mad

The script is for sale on IRC (won't tell anybody where) Twisted Evil

I have put this name in the list of unwanted names so it can't create an account with that name. Twisted Evil

Is there anybody who knows how to resolve this with Sentinel?

Thanks,

Fred

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

I am confused by your titling of this post. You state it as if there is an exploit that Sentinel isn't stopping but yet you ask how to resolve with Sentinel Rolling Eyes

What exploit isn't Sentinel stopping? Don't you think if there was an exploit that this site and many others would have been hit?

Posted: Fri Sep 17, 2004 9:23 am

Hi Raven,

They are in a BIG way, believe me do a google on JackFromWales4u2 and you see what i am talking about.

66.219.97.51 - floridadom.com

Pagina's Bekeken A/D Datum A/D
/modules.php?name=News&file=comments 2004-09-08 22:16:46
/modules.php?name=News&file=comments 2004-09-08 22:16:44
/modules.php?name=News&file=comments 2004-09-08 22:16:42
/modules.php?name=News&file=comments 2004-09-08 22:16:41
/modules.php?name=News&file=comments 2004-09-08 22:16:39
/modules.php?name=News 2004-09-08 22:16:35
/modules.php?name=Your_Account&op=activate&username=JackFromWales4u2&check_num=9026a29cfdf5d55e0df55a19f6e60ad2 2004-09-04 16:44:14
/modules.php?name=Your_Account 2004-09-04 11:59:42
/modules.php?name=Your_Account 2004-09-02 06:33:49
/modules.php?name=Your_Account&op=gfx&random_num=994832 2004-09-02 06:33:47
/modules.php?name=Your_Account&op=gfx&random_num=994832 2004-09-02 06:33:47
/modules.php?name=Your_Account&op=new_user

I have removed the account and put his name in the unwanted list so he can't use it again to create an account with that name.

Today he tried again, but I stopt him because his account is blocked (for now)

Thanks,

Fred

I have updated to 2.0.2 after that this happend. I don't know if 2.0.2 stops this 2.0 din't stop it for sure.

Sorry if it is bad news, but I am here to learn from the people who know.

Posted: Fri Sep 17, 2004 9:27 am

But you haven't answered my questions. I know he's a problem, but what is the exploit that you are questioning? Every exploit that I know of has been blocked since 1.x. Most of these exploits are because the admin.php is not protected by using HTTP Auth which has always been available in Sentinel and even before that. Please show me 1 site that Sentinel has been broken into when the software was installed correctly and had Chatserv's patches applied.

Posted: Fri Sep 17, 2004 9:47 am

www.fred-dresken.nl that is one.. Wink

What I am trying to say, is there a configuration in Sentinel that I missed to prevent this from happening. As far I can tell I have configured Sentinel to Max. security.

modules.php?name=Your_Account&op=activate&username=JackFromWales4u2&check_num=9026a29cfdf5d55e0df55a19f6e60ad2 2004-09-04 16:44:14
At this time Sentinel 2.0 is up and running and my nuke version is the Ravens Customized Distro version 7.3 to be sure that Chatserv pathes have been applied. Mr. Green

It won't create an admin account but just a normal one to write ads.

If there are many sites that won't have this issue I think that I am missing a patch somewhere.. Bang Head

wich one? I don't know. Embarassed

My Admin is SAVE.. many have tried the known hack/exploit and are blocked. RavensScripts

Posted: Fri Sep 17, 2004 10:10 am

Quote:

modules.php?name=Your_Account&op=activate&username=JackFromWales4u2&check_num=9026a29cfdf5d55e0df55a19f6e60ad2

A script that auto-registers then spams the comments is not a security exploit, at least from the Sentinel point of things. It is someone taking advantage of the portal system through automation. Sentinel won't protect against that, neither should it. That is the function of the $gfx_check() security image.

Posted: Fri Sep 17, 2004 10:51 am

Hi Doodle,

And when the gfx is active? what is on my site when this happend.

The automation only works when it first has created a gfxcode on an empty page, that generated code is used to create an account.

When only the gfx function is called (what is very rear) true automation, this is a security exploit from my point of view, because gfx is never called on itself, it is used only to login or to create an account.

www.yoursite.com/modules.php?name=Your_Account&op=gfx&random_num=994832

So when they call the gfx on it self there is something weird going on, why other than login or creation call this function.

Posted: Fri Sep 17, 2004 11:11 am

I agree with you about the gfx function. That is the area we should be concentrating on. Putting some !eregi code in there to make sure it's not called directly would prolly work.

Posted: Fri Sep 17, 2004 11:33 am

First off this is not a xss exploit, second since the lamer always uses the same nick block him through the forum's admin section under disallow names and on the Your Account module by changing:

Code:

if (eregi("^((root)|(adm)|(linux)|(webmaster)|(admin)|(god)|(administrator)|(administrador)|(nobody)|(anonymous)|(anonimo)|(anónimo)|(operator))$",$username)) $stop = "<center>"._NAMERESERVED."</center>";

to:

Code:

if (eregi("^((root)|(adm)|(linux)|(webmaster)|(admin)|(god)|(administrator)|(administrador)|(nobody)|(anonymous)|(anonimo)|(anónimo)|(operator)|(jackfromwales4u2))$",$username)) $stop = "<center>"._NAMERESERVED."</center>";

Posted: Fri Sep 17, 2004 11:51 am

Chatserv,

I already blocked that username like you sayd, (first post)

Can you (please) explain me a little bit about the difference on the two possibilities?

Thanks,

Fred

I am just a newbie in php (you already know that Wink

) so Thanks again.
I only have an MCSE thats all.

Posted: Fri Sep 17, 2004 11:56 am

digibeet wrote:

I only have an MCSE thats all.

I read recently where they believe they now have a cure for that, although there will be lingering effects. You will have a tendancy to bloat and you will be prone to viruses and turning blue just before you shut down and pass out ROTFL

Posted: Fri Sep 17, 2004 12:23 pm

Raven,

70-270 MCSE has NO! value in the Netherlands whithout a higher degree..
I do NOT pretend to be a programmer (that is why I post sometimes a stupid question), engineer or likewise I did MCSE 70-270 to learn the BASICS of WindowsXP and I won't renew my certification. I don't think highly of myself because of my MCSE cert.
I am stunned and greatfull with the knowledge and help I find here.

Ok, did some ITIL and the rest is just a hobby for 16 years now. started at 22
For the rest I am a newbie, NooB or what ever you want to call it or call me.

I did it at home, ISBN 90 395 1909 9 (exept the exam, that a did somewhere else)

Do you know that the JackFromWales4u2 script is for sale on IRC?

Posted: Fri Sep 17, 2004 12:28 pm

Personally I don't care about JFW. I mean no disrespect but I have more important things to do and haven't the time to give him another thought. Script kiddies come and go, and like bad gas, this too will pass Wink

As Chat said, his is not an XSS exploit and is freely available on the web. So I doubt that he will get too rich ROTFL

Posted: Fri Sep 17, 2004 12:51 pm

OK, Love a clear answer,

In my first post about this:

I have put this name in the list of unwanted names so it can't create an account with that name. Rolling Eyes

A simple answer like: it's no XSS exploit, ban the name will do it, scriptkiddies are allways around so it could happen again, but don't worry there is no danger. Is a clear answer for me. Wink

Maybe a sticky post about JFW will help you safe time and help others not to worry. RavensScripts

Posted: Fri Sep 17, 2004 3:13 pm

So everyone's happy now?