My site was hacked

registered · Posted: Thu Feb 19, 2009 12:09 pm

montego wrote:

Don't forget that for many reasons, we import the request variables within mainfile.php. Too many add-on modules/blocks/etc. would break otherwise.

Oh yeah.

I have been away too long, forgot about that.

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Gremmie wrote:

It looked to me like the fix was just to make sure some variables were defined before first use. That's something you always should do, but especially if register globals is on, otherwise a bad guy could provide his own values for those variables.

Not defining as much as initializing, which allowed a bad guy who could read the alert to define his values for that one variable. Yes, register globals would be an issue, but as montego said, the values are loaded either way.

Worker Joined: Aug 22, 2006 Posts: 192

Hi All,

I have just read the Home Page of this website (on February 20 2009, just to clarify my time of writing) and see that it currently reads as follows:

' Unfortunately, there is a major security hole that has been found and released to the public
We have made available the fixed file for download at PATCHED FILE FIX
After you download it you need to unzip it and use the unzipped downloaded file
to replace the same named file, captcha.php in YOUR_RN_ROOT_FOLDER/images/captcha.php
You must do this immediately as the vulnerability is a destructive exploit and you will lose data if you do not patch this hole
For further details see Security Forum '

However, this notification does not advise which versions of Raven Nuke are affected. The posting by Raven in this forum is as follows:

Raven wrote:

Everyone needs to do this!

Please immediately download and replace the following file:

Download -> http://www.ravenphpscripts.com/public/captcha.zip
Unzip captcha.zip
Replace ->/images/captcha.php

...However again this posting also fails to identify the specific versions of Raven Nuke is affected.

Please can someone advise which versions are affected and explain how, if I am not 100% sure of which version a website is using, I am able to identify if the file located at /images/captcha.php must be replaced?

Maybe someone can give exact details of the code that was in the old/original version of the file that is affected and what it should be changed to etc?

Thanks all.

Posted: Thu Feb 19, 2009 7:04 pm

I believe anything after and including RN 2.10.00

Posted: Thu Feb 19, 2009 7:08 pm

Hi Palbin,

Thank you for a speedy reply to my previous posting.

However, please can someone explain how, if I am not 100% sure of which version a website is using, I am able to identify if the file located at /images/captcha.php must be replaced?

As I previously mentioned, maybe someone can give exact details of the code that was in the old/original version of the file that is affected and what it should be changed to etc?

Thanks again all.

Posted: Thu Feb 19, 2009 7:26 pm

I believe, and correct me if I am wrong, that it affects anyone running RN 2.10 and above. Montego thought this as well (see page 2).

If you diff the patched file and a file from RN 2.10 or 2.20 you can see the differences.

Posted: Thu Feb 19, 2009 7:44 pm

Edited my post to say 2.10.00.

emmaphp, look in the nuke_config table using phpmyadmin. Go to the end and look for the Version_Num column.

Posted: Thu Feb 19, 2009 7:58 pm

I am running rn2.30.00

Thank you for the 'heads up' Palbin.

Now I have work to do on securing this site.

Thanks again all!

Posted: Thu Feb 19, 2009 9:37 pm

Unless the site is customized just upgrade. Smile

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

emmaphp, it's really simple enough. If you have any version that has the captcha file - replace it. And this release note at http://www.ravenphpscripts.com/postt17156.html details it even more.

Posted: Fri Feb 20, 2009 5:29 am

Raven,

Thank you for this additional information, moreover for diverting your valuable time to my recent posting on this thread.

Regular Joined: Dec 15, 2008 Posts: 79

Just to say I upgraded both my sites with the new release 2.30.01 last night after previously uploading recommended files/folders, and both sites are now working great and watertight again.

Many thanks to you all, especially Raven for his patience with a non techy old lady LOL

Regular Joined: Aug 06, 2008 Posts: 65

Hello and thank you for your time!
I have: rn2.20.01
and have spent months customizing it to being just how I want it. I have made the choice not to upgrade to the new version. I have however updated the captcha fix.... I would really appreciate it if someone would advise me as to what files I absolutely must get from the new version, and load to my rn2.20.01 for security protection? Thanks so much!

registered · Posted: Mon Mar 16, 2009 6:28 pm

Pretty sure its all here
http://www.ravenphpscripts.com/postt17156.html

Posted: Mon Mar 16, 2009 10:44 pm

selectric,

Just be aware that v2.2x will soon reach the so called EOL (End OF Life). We will not be offering any updates at all nor patching security holes if they are found. In other words it will soon be dead. It's on life support but there's little brain and heart activity Wink

.

We encourage you and everyone to upgrade to v2.30.01 series because the next release, v2.4, will only be made compatible with the v2.3 series.

Posted: Tue Mar 17, 2009 6:37 am

Wondering .....

Since 2.3.x uses the new DB calls to $db replacing $dbi and other replacements, is there the possibility to author an update script of sorts that will do an auto-replace for those users updating from 2.1.x and 2.2.x that have custom add-ons so they can continue to use them.

It was easy enough for "ME" because I use Homesite's EDIT / Replace function to do the entire document in one swipe. But a script for that purpose would be nice.

Cheers

registered · Posted: Tue Mar 17, 2009 7:11 am

Well, just so everyone knows, $dbi was replaced by $db in PHP-Nuke many, many, many moons ago...

Posted: Tue Mar 17, 2009 7:57 am

Dad: the process for fixing programs that use $dbi is pretty well detailed in our forums posts here. I really don't see how it would be feasible to write a script to replace that process ... you have to look inside the obsolete PHP code to make the required changes and then test the changes. I really can't see how it is feasible to automate that, at least at a reasonable expense. And users can implement a temporary fix just by uncommenting a couple of lines of mainfile. I just don't see where this is so onerous or inconvenient and at some point we need to move on from supporting obsolete code.

Posted: Tue Mar 17, 2009 8:27 am

evaders99 wrote:

Pretty sure its all here
http://www.ravenphpscripts.com/postt17156.html

It says "If you are upgrading from RavenNuke(tm) v2.30.00:"
0001350: [Module - Your Account (RNYA)] Remote Php Code Execution in avatarlist.php (KGuske) - resolved.
0001351: [Module - Your Account (RNYA)] Remote Php Code Execution in Your Account module (KGuske) - resolved.
0001376: [Module - Your Account (RNYA)] XSS Vulnerability in Your_Account (Evaders99) - resolved.

Since I do not have version 2.30.00, I would not upgrade.. However, then it says: "We strongly reccomend that you make backups of all of the above mentioned files and just upload/replace them all
REGARDLESS of what version of RavenNuke(tm) you are using."

Does that mean that version 2.20.01 is vulnerable to the Your_Account issues listed above? OR is upgrading just reccommended, even though v2.20.01 is not vulnerable to the same issue? THANK YOU, SORRY ABOUT MY CONFUSION!

Posted: Thu Mar 19, 2009 8:59 am

Obviously it's a 2.30.00 Your_Account vulnerability, afterall, if it was in 2.20.01, it would have had to be fixed way before this.

Posted: Thu Mar 19, 2009 9:52 am

Nothing is ever "obvious" when it comes to exploits. I know of another script that took 5 years before an exploit was found and it is a very popular script. If I were you I would check to see if the Your_Account version you are using has the identified code in it just to be safe. Again I will remind you that by not updating now you will have an even harder time with future releases when it comes to code changes and enhancements. I'll not lecture you anymore about this Wink

Posted: Thu Mar 19, 2009 10:59 am

Can I ask how I would check to see if the Your_Account version I am using has the identified code in it? What is the identified code? Im looking at the new security change log which has:

0001350: [Module - Your Account (RNYA)] Remote Php Code Execution in avatarlist.php (KGuske) - resolved.
0001351: [Module - Your Account (RNYA)] Remote Php Code Execution in Your Account module (KGuske) - resolved.
0001376: [Module - Your Account (RNYA)] XSS Vulnerability in Your_Account (Evaders99) - resolved.
0001358: [Security / Vulnerability] Additional Form validation (Guardian2003) - resolved.

However, When I look into the new RavenNuke Your_Account, I cannot find fix numbers such as 0001351. Please let me know where I can find the identified codes. Im not upgrading. Thank you very much for your help!

Posted: Thu Mar 19, 2009 11:13 am

You will have to look up the actual reported exploit at Secunia or Google for it and read what code was causing the exploit.

Posted: Thu Mar 19, 2009 11:18 am

We didn't log those numbers in the source, but you can compare your source to the upgrade file to see the differences using Beyond Compare, WinMerge (free), or other comparison tools.

Posted: Tue Apr 28, 2009 5:11 pm

Warning!!! phpnuke 8.0 and 8.1 have to many sql injections and xxs problems i dnt use that any more i have also a scan rapport from that script i can upload it when the rave team that likes
then u see how manny security problems phpnuke 7.6 - 8.1 have the patch dnt fix all the sql injections. the problem is read below:

Code:

config.php%26userfile_name%3Dscanalert.txt


Content-Type=application%2Fx-www-form-urlencoded





Confidential - McAfee Security Audit Report Page 21


Affects: 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35


Version less than Apache httpd 2.0.40


Important: Path vulnerability ---> CVE-2002-0661


Affects: 2.0.39, 2.0.37, 2.0.36, 2.0.35


Low: Path revealing exposures ---> CVE-2002-0654


Affects: 2.0.39, 2.0.37?, 2.0.36?, 2.0.35?


Version less than Apache httpd 2.0.37


Critical: Apache Chunked encoding vulnerability ---> CVE-2002-0392


Affects: 2.0.36, 2.0.35


Version less than Apache httpd 2.0.36


Low: Warning messages could be displayed to users ---> CVE-2002-1592


Affects: 2.0.35


CVSS


7.5


Solution


Upgrade to newer version


Detail


Apache/2.0.58 ---> Verify that you are running the Latest version of Apache.


Links


httpd.apache.org


Related


None


Web Application Cross Site Scripting


Port First Detected Category


80 22/04/2009 20:50 Web Application


Protocol Fix Difficulty Impact


HTTP Medium Cross Site Scripting (XSS)


Description


The remote web application appears to be vulnerable to cross-site scripting (XSS).


The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web


site is vulnerable if it displays user-submitted content without sanitizing user input.


The target of cross-site scripting attacks is not the server itself, but the users of the server. By finding a page that does not


properly sanitize user input the attacker submits client-side code to the server that will then be rendered by the client. It is


important to note that websites that use SSL are just as vulnerable as websites that do not encrypt browser sessions.


The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus


payload onto their computer via browser.


The pages listed in the vulnerability output will display embedded javascript with no filtering back to the user.


CVSS


5.8


Solution


When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back


Confidential - McAfee Security Audit Report Page 22


to the client.


Ensure that parameters and user input are sanitized by doing the following:


Remove < input and replace with &lt;


Remove > input and replace with &gt;


Remove ' input and replace with &apos;


Remove " input and replace with &#x22;


Remove ) input and replace with &#x29;


Remove ( input and replace with &#x28;


Detail


Protocol http Port 80Read Timeout10000Method POST


Path /modules.php


Que


ry


name=Web_Links


l_op=search


query=


Hea


ders


Referer=http%3A%2F%2Fwww.YOURDOMAIN.COM%3A80%2Fmodules.php%3Fname%3DWeb_Links%26l_op


%3Dviewlinkdetails%26lid%3D1%26ttitle%3D..%252F..%252F..%252F..%252F..%252F..%252Fetc%252F


passwd%2500_Home_Of_PHP-Nuke_Special_Edition


Content-Type=application%2Fx-www-form-urlencoded


Bodyquery=>"></title></iframe></script></form></td></tr><br><iFraMe src=http://www.HackerSafe.com


width=900 height=1100></IfRamE>


Protocol http Port 80Read Timeout10000Method POST


Path /modules.php


Query


name=Downloads


op=search


query=


Heade


rs


Referer=http%3A%2F%2Fwww.YOURDOMAIN.COM%3A80%2Fmodules.php%3Fname%3DDownloads


Content-Type=application%2Fx-www-form-urlencoded


Body query=>"></title></iframe></script></form></td></tr><br><iFraMe src=http://www.HackerSafe.com


width=900 height=1100></IfRamE>


Protocol http Port 80Read Timeout10000Method POST


Path /modules.php


Query name=Feedback


Heade


rs


Referer=http%3A%2F%2Fwww.YOURDOMAIN.COM%3A80%2Fmodules.php%3Fname%3DFeedback


Content-Type=application%2Fx-www-form-urlencoded


Body


sender_name=>"></title></iframe></script></form></td></tr><br><iFraMe


src=http://www.HackerSafe.com width=900 height=1100></IfRamE>


sender_email=0


message=0


opi=ds


submit=Verzenden


Protocol http Port 80Read Timeout10000Method POST


Path /modules.php


Query name=Feedback


Heade


rs


Referer=http%3A%2F%2Fwww.YOURDOMAIN.COM%3A80%2Fmodules.php%3Fname%3DFeedback


Content-Type=application%2Fx-www-form-urlencoded


Body


sender_name=0


sender_email=>"></title></iframe></script></form></td></tr><br><iFraMe


src=http://www.HackerSafe.com width=900 height=1100></IfRamE>


message=0


opi=ds


submit=send