Recent UNION exploit with unpatched sites and NukeSentinel

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Nuke Platinum sites and regular phpnuke site are being exploited with a variation of an old exploit that was fixed in Patch Level 3.x and possibly even 2.9. Using a specially crafted url and the UNION modifier, your admin password, in md5 hashed code, can be exposed. The fact that many people use common dictionary words, this information can be used to easily get admin access to your site.

Now for this to happen, you would need to be running a version of phpnuke that is not patched current. NukeSentinel(tm) becomes an accomplice to this because the URL was bypassing the filters in NukeSentinel(tm). Actually, the filters are in there, they just weren't working correctly. With the following fix you should not have to worry. It should also be noted that if you are using NukeSentinel's Admin Auth protection and you have taken our advice and not kept the passwords the same, even if they guess your nuke password they still can't get past NukeSentinel(tm). That's a safety net but not the full soultion.

I've tested this and it should close many holes that the kiddies never spotted Wink

. I am posting it here and in a separate post of its own. My thanks to Technocrat for staying on my case about this Cheers

Edit includes/nukesentinel.php file,

FIND
function st_clean_string($cleanstring) {

AFTER ADD
$cleanstring = str_replace($cleanstring,strtoupper($cleanstring),$cleanstring);

Should Now Look Like
function st_clean_string($cleanstring) {
$cleanstring = str_replace($cleanstring,strtoupper($cleanstring),$cleanstring);

Please note that users of RavenNuke76 are not affected by this Smile

registered · Posted: Wed Dec 14, 2005 1:30 am

Thanks, Raven! You're doing a great job!

It's odd how these security issues always comes in spurts, no?

Sells PC To Pay For Divorce Joined: Posts: 5661

lol...it never ends huh...
but ehh...c'mon guys...dont think that everybody is going to update with the 3.1 patch....
i think it would be wise to publish the vunerable parts that should be checked/patched...
the majority of what i know isnt on the 3.1,but non of them were ever hacked also...
thing also is that using the 3.1 chances are parts of your site wont be functional anymore....
so i think that publishing the few checkup steps would be helpfull to many...
and if not,then they will end up here with a hacked site...

New Member Joined: Nov 07, 2002 Posts: 2

Hi,

I want to get help from you. My site using php-nuke 7.9 patch 3.1 and Nukesentinel 2.4.2. I just want to make sure that my site is secure, so please let me know if you can exploit my site. Only registered users can see links on this board! Get registered or login!

Regards,
AFaisal

Posted: Wed Dec 14, 2005 8:25 am

hitwalker wrote:

lol...it never ends huh...
but ehh...c'mon guys...dont think that everybody is going to update with the 3.1 patch....
i think it would be wise to publish the vunerable parts that should be checked/patched...
the majority of what i know isnt on the 3.1,but non of them were ever hacked also...
thing also is that using the 3.1 chances are parts of your site wont be functional anymore....
so i think that publishing the few checkup steps would be helpfull to many...
and if not,then they will end up here with a hacked site...

that's why I published the fix Wink

Posted: Wed Dec 14, 2005 8:26 am

AFaisal wrote:

Hi,

I want to get help from you. My site using php-nuke 7.9 patch 3.1 and Nukesentinel 2.4.2. I just want to make sure that my site is secure, so please let me know if you can exploit my site. Only registered users can see links on this board! Get registered or login!

Regards,
AFaisal

I do not offer that 'service'. You can find all the hacks you need to test on your own by googling Smile

registered · Posted: Wed Dec 14, 2005 10:24 am

AFaisal - Applying the patch above and what you have now "should" stop most current hacks and the ones that I am watching the script kiddies mess with. Who knows what tomorrow might bring. Sad

Raven - I am glad we could agree finally Smile

I think its better for everyone

New Member Joined: Dec 25, 2004 Posts: 1

Thanks Raven

New Member Joined: Nov 03, 2005 Posts: 6

I am looking to patch my site to 3.1... will i have to add the file edits for NukeSentinel again after that?

Posted: Wed Dec 14, 2005 9:18 pm

I have add line above in includes/nukesentinel.php.
Can someone PM me how to test injection my site ? I think this is funny if I asked you. I am not programmer, I am only user.

Posted: Wed Dec 14, 2005 9:31 pm

http://www.zone-h.org/en/advisories/read/id=8510/

Posted: Thu Dec 15, 2005 3:17 am

Raven wrote:

http://www.zone-h.org/en/advisories/read/id=8510/

If you'll pardon the pun: "Oh, what a tangled *web* we weave, when first we practice to decieve."

Ever heard the rarely mentioned second line? "But my how we improve the score, as we practice more and more." ROTFL

Posted: Thu Dec 15, 2005 4:19 am

How true -- how true. I have to commend felosi for his quick reaction to my response. See http://forum.zone-h.org/viewtopic.php?t=4591

Worker Joined: Apr 30, 2005 Posts: 170

Can anyone let me know the dates that the various patches have been released? I've updated a couple of times...

How can I tell what version I'm running?

Posted: Thu Dec 15, 2005 10:18 am

12/07/04 - Version 2.8
02/15/05 - Version 2.9
04/29/05 - Version 3.0
06/24/05 - Version 3.0 For PHP-Nuke 7.8
07/28/05 - Version 3.1

3.1 had a few changes done to it shortly after it was released, if you downloaded it in the past two months then you have the latest version that is available for downloading.

Posted: Sun Dec 18, 2005 12:32 am

UPDATE: The previous fix works but it was causing some links in the admin screen to not function correctly (see http://www.ravenphpscripts.com/postp54570.html#54570 ). So, here is yet another, not so elegant, fix that should make all yhings well again Wink

Edit includes/nukesentinel.php file

FIND AND REPLACE THIS ENTIRE FUNCTION (UPDATED 12/18/2005

Code:

function st_clean_string($cleanstring) {}

WITH THIS

Code:

function st_clean_string($cleanstring) {


  $st_fr1 = array("%00", "%01", "%02", "%03", "%04", "%05", "%06", "%07", "%08", "%09", "%10", "%11", "%12", "%13", "%14", "%15", "%16", "%17", "%18", "%19", "%20", "%21", "%22", "%23", "%24", "%25", "%26", "%27", "%28", "%29", "%30", "%31", "%32", "%33", "%34", "%35", "%36", "%37", "%38", "%39", "%40", "%41", "%42", "%43", "%44", "%45", "%46", "%47", "%48", "%49", "%50", "%51", "%52", "%53", "%54", "%55", "%56", "%57", "%58", "%59", "%60", "%61", "%62", "%63", "%64", "%65", "%66", "%67", "%68", "%69", "%70", "%71", "%72", "%73", "%74", "%75", "%76", "%77", "%78", "%79");





  $st_to1 = array("", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", " ", "!", "\"", "#", "$", "%", "&", "'", "(", ")", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "@", "A", "B", "C", "D", "E", "F", "G", "H", "I", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "`", "a", "b", "c", "d", "e", "f", "g", "h", "i", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y");





  $st_fr2 = array("%0A", "%0B", "%0C", "%0D", "%0E", "%0F", "%1A", "%1B", "%1C", "%1D", "%1E", "%1F", "%2A", "%2B", "%2C", "%2D", "%2E", "%2F", "%3A", "%3B", "%3C", "%3D", "%3E", "%3F", "%4A", "%4B", "%4C", "%4D", "%4E", "%4F", "%5A", "%5B", "%5C", "%5D", "%5E", "%5F", "%6A", "%6B", "%6C", "%6D", "%6E", "%6F", "%7A", "%7B", "%7C", "%7D", "%7E", "%7F", "%0a", "%0b", "%0c", "%0d", "%0e", "%0f", "%1a", "%1b", "%1c", "%1d", "%1e", "%1f", "%2a", "%2b", "%2c", "%2d", "%2e", "%2f", "%3a", "%3b", "%3c", "%3d", "%3e", "%3f", "%4a", "%4b", "%4c", "%4d", "%4e", "%4f", "%5a", "%5b", "%5c", "%5d", "%5e", "%5f", "%6a", "%6b", "%6c", "%6d", "%6e", "%6f", "%7a", "%7b", "%7c", "%7d", "%7e", "%7f");





  $st_to2 = array("", "", "", "", "", "", "", "", "", "", "", "", "*", "+", ",", "-", ".", "/", ":", ";", "<", "=", ">", "?", "J", "K", "L", "M", "N", "O", "Z", "[", "\\", "]", "^", "_", "j", "k", "l", "m", "n", "o", "z", "{", "|", "}", "~", "", "", "", "", "", "", "", "", "", "", "", "", "", "*", "+", ",", "-", ".", "/", ":", ";", "<", "=", ">", "?", "J", "K", "L", "M", "N", "O", "Z", "[", "\\", "]", "^", "_", "j", "k", "l", "m", "n", "o", "z", "{", "|", "}", "~", "");





  $cleanstring = str_replace($st_fr1, $st_to1, $cleanstring);


  $cleanstring = str_replace($st_fr2, $st_to2, $cleanstring);


  return $cleanstring;


}

Worker Joined: Aug 05, 2005 Posts: 139

after looking into this my phpnuke that i building code name phoenix
uses that same search module from nukestyles and phpnuke 7.9 filter does not seem to be affected.

maybe the filter code be backported into patched?

Posted: Sat Dec 24, 2005 9:04 am

VinDSL wrote:

Thanks, Raven! You're doing a great job!

It's odd how these security issues always comes in spurts, no?

Probably ties in with school holidays lmao