Attention!! Regarding Recent Mass Reports of Hacks

Posted: Mon Dec 12, 2005 2:13 pm

The only thing I can think of Techno is that on the Platinum mods site, there must be something about Patched 3.1 that didn't make it into Platinum.

I have disabled search on my baseline domain because it too is at risk. What also bothered me is that I made a mod to NukeSentinel (like what you did with 2.4.2) and I could get past 2.3.9 still. (A slightly different change as it uses a different methodology).

Again, I'm dumping PHP-Nuke next month anyway, so I just said "the hell with it" and disabled the module.

I think you know already what I'm going to be running, but anyway, I can say that it is fully secure and you can test it.... The one bitch though is that while it won't produce a result, NukeSentinel doesn't identify it, which I think (in my mind) is an issue because I want to know WHENEVER anyone tries a union attack against me, whether it worked or not.

If Raven wants to see this in action, he can PM me, I'll open up my 7.6 Test domain or my baseline domain (turn the module back on) and then he can see the result.

Steph

registered · Posted: Mon Dec 12, 2005 2:19 pm

As steph said the problem with PNP is the total mess everything inside of it is. There is such a blending of 2.8, & 2.9, that adding 3 & 3.1 was a difficult task. Even some of the 2.8 changes were not correct. Obviously something was missed in PNP to fix the search expoit. That sucks for me and other PNP users.

<offtopic>Steph is anything ever going to happen on your other domain?</offtopic>

Posted: Mon Dec 12, 2005 2:24 pm

Yes.

I got the Copyright approval back from FSF and they are now assigned as the Copyright agents. I'm going to be going live with it next month. I'm not going to include any "input filtering" though until some of the other folks decide to play with it more. Also, I want to recode all of the input functions to offer with/without HTML editor scenarios (two sets of inputs instead of just one with an on/off switch) this will allow different users with different browsers to still have more flexible functionality. (Think of it as having an on/off switch on top of having the input fields properly defined for EACH method, instead of defining the field for one, which might not ...errr... actually IS NOT, right for the other method, when the editor is on, it uses input method 1, when the editor is off, it uses method 2).

Anyway, after much todo with lawyers and the like, I think I'm ready now, or darn close to it.

Installation scripts need work. I have a good SQL file, but it is just that (and needs bigdump to work because of everything being pre-insalled).

Steph

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Folks, I want to try to clear up what seems to be a misunderstanding, at least as to how Technocrat is misperceiving my comments. I have tested and proven beyond a shadow of a doubt that if your site is patched with at least 3.x and possibly even 2.9, this exploit does not work, even without NukeSentinel(tm). So, it is not a NukeSenitinel(tm) issue as the patched code, even from FB (some of the few pieces he left in), secures it. Our purpose in writing and maintaining NukeSentinel(tm) has always been to work in addition to the poorly secured nuke code. We try to keep redundancy out because if the core code get changed then NukeSentinel(tm) very well could be at odds with the core code.

I do not feel any need to rush out a new release of NukeSentinel(tm) over this for reasons stated above. You all know me (and us) here and we don't take security lightly or we would not have built this product and keep it up. But, you have the patch from technocrat if you want/need to patch your old code. But, and I can't emphasize this enough, the correct fix is to make sure you are up to date with Chatserv's latest patches (3.1 as of this writing) and then update your NukeSentinel(tm) to v2.4.2 to protect against the things that the patches don't/can't.

The sky is not falling folks Laughing

. This is but a variation on a theme. This is an old exploit that's been ressurected, more than likely because a simple Google search reveals so many sites using unpatched phpNuke. If people haven't updated their sites by now with the patches and NukeSentinel(tm), there is nothing that would lead me to believe that issuing a "patch" would help them.

If it makes you feel mores secure, then by all means add technocrat's code. It won't hurt anything, that's for sure Wink

.

And just for future reference, I'm not saying I won't add this into a future release but as long as a patch is out there then there is no need, imo, to rush out another release.

Posted: Tue Dec 13, 2005 10:48 pm

I have been working on this tonight after I saw a post by felosi at another site. I have a very easy fix that I will post as soon as a couple others test it out.

Posted: Tue Dec 13, 2005 11:19 pm

I've tested this and it should close many holes that the kiddies never spotted Wink

. I am posting it here and in a separate post of its own.

My thanks to Technocrat for staying on my case about this Cheers

Edit includes/nukesentinel.php file,

FIND
function st_clean_string($cleanstring) {

AFTER ADD
$cleanstring = str_replace($cleanstring,strtoupper($cleanstring),$cleanstring);

Should Now Look Like
function st_clean_string($cleanstring) {
$cleanstring = str_replace($cleanstring,strtoupper($cleanstring),$cleanstring);

Posted: Wed Dec 14, 2005 9:17 am

So no more onion attacks? lol!!!

Posted: Wed Dec 14, 2005 10:19 am

Can't make that claim (yet). But, we've certainly made a lot more layers to peel Wink

Posted: Wed Dec 14, 2005 10:24 am