CHATSERV READ THIS - 7.3 w/ 2.5 patches, Review modules hole

Posted: Thu Jul 01, 2004 7:21 pm

I had xfsunolesphp (noles for short), test my security on this with sentinel installed on local server and apparently he was able to exploit the Reviews module. Shocked

Now he signed off and went some where so im going to take a look through the logs and see what he did and post back.

Ill get him to post here with the full report when he returns.

Posted: Thu Jul 01, 2004 7:27 pm

- - [01/Jul/2004:15:00:22 -0400] "GET /home/modules.php?name=FAQ&myfaq=yes&id_cat=
1&categories=-1seelct%20user,%20pwd%20from%20nuke_authors HTTP/1.1" 200 5073
- - [01/Jul/2004:15:00:32 -0400] "GET /home/modules.php?name=FAQ&myfaq=yes&id_cat=
1&categories=-1select%20user,%20pwd%20from%20nuke_authors HTTP/1.1" 200 5072
- - [01/Jul/2004:15:00:40 -0400] "GET /home/modules.php?name=FAQ&myfaq=yes&id_cat=1&categories=
select%20user,%20pwd%20from%20nuke_authors HTTP/1.1" 200 5070
- - [01/Jul/2004:15:01:41 -0400] "GET /home/modules.php?name=Reviews&rop=Yes
&title=f001&text=f002&score=9&email=f00@bar.org&text=f00%253c/textarea%3E%253cscript%3Ealert%2528document.cookie);
%253c/script%3Ebar HTTP/1.1" 302 4981
- - [01/Jul/2004:15:01:43 -0400] "GET /home/index.php HTTP/1.1" 200 5758
- - [01/Jul/2004:15:02:07 -0400] "GET /home/modules.php?name=FAQ&myfaq=yes&id_cat=
1&categories=%253cscript%3Ealert%2528document.cookie);%253c/script%3E HTTP/1.1" 200 5075
- - [01/Jul/2004:15:02:24 -0400] "GET /home/modules.php?name=FAQ&myfaq=yes&id_cat=
1&categories=%25cscript%3Ealert%2528document.cookie);%253c/script%3E HTTP/1.1" 200 5076
- - [01/Jul/2004:15:02:34 -0400] "GET /home/modules.php?name=FAQ&myfaq=yes&id_cat=
1&categories=%3Cscript%3Ealert%2528document.cookie);%253c/script%3E HTTP/1.1" 200 168
- - [01/Jul/2004:15:03:22 -0400] "GET /home/modules.php?name=Reviews&rop=Q&order=
SELECT%20user,%20pwd%20FROM%20nuke_authors HTTP/1.1" 200 4954
- - [01/Jul/2004:15:04:08 -0400] "GET /home/modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=
9&email=f00@bar.org&reviewer=f00bar&date=f00bar HTTP/1.1" 200 5195
- - [01/Jul/2004:15:06:05 -0400] "GET /home/modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&email=
f00@bar.org&reviewer=f00&score=9999 HTTP/1.1" 200 4985
- - [01/Jul/2004:15:06:41 -0400] "GET /home/modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&email=
f00@bar.org&reviewer=f00&score=9999 HTTP/1.1" 200 4985
- - [01/Jul/2004:15:07:01 -0400] "GET /home/modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&email=
f00@bar.org&reviewer=f00&score=9999 HTTP/1.1" 200 4984
- - [01/Jul/2004:15:07:44 -0400] "GET /home/modules.php?name=Reviews&rop=savecomment&id=1&uname=f00bar&score=
999999999999999999999999 HTTP/1.1" 302 38

I have no idea where it started to work, he just kept doing alot of different exploits.

However you can find out by going here... http://stephen2417.gotdns.com
Test the hell outa it, let me know if you need unbanned. Just if you do find a hole dont be to nasty about it, like makin your self an admin and changinag everthing. Plus theres no telling how long that url will stay there since thats running off my computer.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

What did he exploit? Did he break into your system? Remember that Sentinel does not patch bad code. That's what Chat's service packs are for. Keep the 2 separate when reporting issues.

Regular Joined: Aug 23, 2003 Posts: 77

it only sent Fake Reviews.

Posted: Thu Jul 01, 2004 9:29 pm

That's a coding issue, not a Sentinel issue. Let Chat know.

Posted: Thu Jul 01, 2004 9:31 pm

Ya thats what i figured.

Posted: Thu Jul 01, 2004 10:42 pm

The above examples mention the FAQ module as well, i need to know which ones allowed the attacks to go through in order to patch the vulnerable section, if you do know which ones worked pm me the details and i'll work on fixing it in the morning.

Posted: Fri Jul 02, 2004 10:08 am

My reviews don't work if you post a comment; sentinel will ban you. If you post an original review your ok.

It's PhpNuke ... not chat or sentential. Bad review code as far as I can tell from 6.9 all the way to 7.3.

Posted: Fri Jul 02, 2004 10:11 am

Are you using html in your comments? Or will it not work if you post anything, like 'test'?

Posted: Fri Jul 02, 2004 10:16 am

Just write Hi and your banned ... if you post a comment to an existing review. If you write a new one your ok ... even with HTML in it.

I disabled sentinel once to see what was up and I received a phpnuke error that the format or something wasn't allowed. And all I wrote was Hi ... so that's why I know it's a phpnuke problem not anything you all are doing (chat/raven) ... and no version has fixed it Smile

Hangin' Around Joined: Jul 10, 2004 Posts: 48

has that been fixed yet webby?

Posted: Mon Jul 12, 2004 11:31 am

I figured it out .... all by my lonesome (anyone scared yet?) Rolling Eyes

If the title of the original review [that posted just fine] has a ")" or "(" and you post a comment in reply to the original review then you receive an error. The sentenial think the error is a hack so it bans (no it's fault).

I haven't read anywhere that your are not suppose to use special characters in the titles. But so far I've figured that the only thing you can have is alpha numberics and dashes with no problems.

Posted: Mon Jul 12, 2004 11:43 am

Actually we have many posts concerning () in titles of downloads. This is a nuke restriction also, so even if Sentinel wasn't stopping it, vanilla nuke would. Thanks for finding out that Reviews suffers the same pains.

Posted: Mon Jul 12, 2004 2:25 pm

Dang there goes my glory ... lol. Laughing

I've been not playing nice with my reviews and since I haven't added special characters mine hasn't failed or banned anything that it shouldn't.

I cut and pasted all the stuff 2417 posted and sentenial caught them all Smile