SQL Injection Vulnerabilities!

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

sixonetonoffun wrote:

Actually that PN code was flakey the cvs was updated in cvs after that post with simpler checking.

What I get out of it is that the way to get around the filter is to pass an array of nasty code? Anyone?

I looked at that code yesterday after you posted it and it seems as if it's just an extension of the mainfile.php code that comes with nuke. I'm not knocking it. I'm just saying that it further refines what is there, which would be a good thing. But (there always is a but) that so restricts even the webmaster when he is trying to write his own articles and such. That approach to SQL injections and XSS attacks will take so much maintenance and you end up having to be a regex guru to code it and maintain it. I truly believe that the better approach is to encapsulate the SQL activities and by using add and strip slashes you will get a 99%, if not higher, success rate.

Posted: Sat Mar 20, 2004 10:57 am

It seems best for logging attack attempts and as a catch all against any variables not protected like you say. I really think that the performance hit it gives, if implemented it should be able to be switched off/on as a config option. (Like PN has done). Of course then one has to explain what it try's to do in the documentation.

New Member Joined: Mar 21, 2004 Posts: 15

Raven wrote:

Sites are being exposed even as I write this! This is still in 7.0 and 7.1. Check your modules/Reviews/index.php file for the following code. There should be 2 instances.

WHERE id=$id

If you have it, then you MUST modify it to

WHERE id='$id' .

Are you including the DOT in this ?
and does it go before the double quote then which exists already?

Posted: Sun Mar 21, 2004 8:14 pm

Can I suggest something ....

I am not very technical Wink

So following these scripting debates leaves me confused.
I'm the Homer Simpson of scripting Embarassed

Is there any chance that once the security fix suggestions have been "agreed" and "tested" that there could be a CENTRAL definitive list of security fixes to apply ??

And I don't mean a growing list of "no, now do this" updates - but a single answer for each patch. If the patch changes - the old one should be removed. (obviously it would be good to have an addendum if a patch needs to be reversed - if you see what I mean).

This would be SO helpful !!
I can't rely on spotting every fix you suggest, especially when it's interjected with debate.

Obviously we all have a vested interest in security so a central list would truly be great IMHO.

Are there other majpor ones? I heard one about the search fixed in 7.2 whcih suddenly seems to be a premium club offer.
Poor for secuirty fixes don't you htink ? How would I do that for 7.0.

And how come the author (FB) isn't leading these security fixes ?

JMTCW.

Posted: Sun Mar 21, 2004 9:23 pm

midigod wrote:

Raven wrote:

Sites are being exposed even as I write this! This is still in 7.0 and 7.1. Check your modules/Reviews/index.php file for the following code. There should be 2 instances.

WHERE id=$id

If you have it, then you MUST modify it to

WHERE id='$id' .

Are you including the DOT in this ?
and does it go before the double quote then which exists already?

No on the dot. Take it literally. Find the 2 instances of

Code:

WHERE id=$id

and modify it to

Code:

WHERE id='$id'

It matters not what is before or after it.

Posted: Sun Mar 21, 2004 9:26 pm

midigod wrote:

And how come the author (FB) isn't leading these security fixes ?

Now there's a novel idea Laughing

(no offense to you). Quite frankly, FB (the present keeper of the code - by far not the author) could care less. Read other threads here that will tell the history and the story. JMTCW.

Posted: Mon Mar 22, 2004 8:32 am

Shorter version as quick reply lost my message Sad

Sorry to hear that the keeper is ......

How about a Raven premier club - although US$20 PA than PM Sad

No guarantess of course.
Just even that central list of security fixes (one answer only plus a history for reverse patching if necessary) would make it worth it.

If the "keeper" is complacent/overworked then in true GNU style someone should erm. help him.

My situation is typical.
Installed 7.0 last week.
Now have to subscribe to get security fixes in 7.2 ?!?!?
New to PHP and SQL. No idea what I'm doing, let alone rectifying others work.

Real shame if we let saddos attack and corrupt Nuke sites, with all the love and hard work which goes in to configuring and maintaining them (let alone hosting costs).

I appreciate your are all doing way more than your bit already, but with a little infrastructure .......

Posted: Mon Mar 22, 2004 8:40 am

7.2 is available here for free. Also, any and all of Chatserv's fixes are always posted here as they become available.

Client Joined: Jan 29, 2004 Posts: 624

The 'keeper' is underworked by his own choice. Don't worry too much about the security issues, midigod, 'cause with 7.0 you already have better security than older versions. Do a little browsin' around the topics here and on other nuke sites, and you'll find everything you need to allay your worries and you'll learn quite a bit, too. Smile

. Keep in mind, though, that the baddies will always find something to exploit, so there will never be a 100% secure web portal. That, to moi, is part of the fun of nuke.

Posted: Mon Mar 22, 2004 8:54 am

Hi there, Raven, and good mornin' Smile

Posted: Mon Mar 22, 2004 10:55 am

Thanks Southernand Raven,
I've installed 7.2 and it seems to hhave the fixes I was aware of

(search, where=id and the database FAQ capitalisation error/fix/error)

So in 7.2 specifically, are there any major secuirty issues outstanding, or do I have a clean slate for today ?

I will deploy the congif.php include path measure.
MySQL is old (3.5) so I presume I don't need the anti hacking script, or do I have other problems ?

Cheers.

Posted: Mon Mar 22, 2004 11:35 am

I'll defer to Raven on whether 7.2 has any security issues you don't know about. But I'd not worry too much if I had that version. Even my 6.9 is pretty secure using the fixes Raven, chatserv and other paramount PHPers have submitted to the nuke community, and it'll be a while before the general run of the mill script kiddies find out from better minds how to attempt exploits...wanna be hackers tend to be lazy and take the easiest way, like water, and if there isn't an easiest way but only a choice of hard and hard they are generally deterred, which is the purpose of security patches. So I'd guess you're safe for today. Smile

Posted: Tue Mar 23, 2004 12:31 am

Has anyone seen this thread at Nukecops yet?

Only registered users can see links on this board! Get registered or login!

If true, this is getting beyond a joke!

Posted: Tue Mar 23, 2004 12:51 am

Here's another that's come up today :

Only registered users can see links on this board! Get registered or login!

I may sound as though I am panicking but I've lost track of what I have and haven't patched! I feel I should build another site from scratch once all these fixes have been finalised.

I have also visited a lot of hacked sites this week and they haven't been pretty sights (no pun intended). Sad

Posted: Tue Mar 23, 2004 1:36 am

http://www.ravenphpscripts.com/article-305--0-0.html

New Member Joined: May 29, 2003 Posts: 16

chatserv

have you checked out admin secure from http://gp4tweaker.vadertrophy.com/cms/downloads-cat13.html

If so what do you think? If not could you?

Tank863

Description:
Admin Secure is an add-on script (not a module, block, nor else) for PHP-Nuke web portal system. This add-on gives you additional protection scheme for admin accounts from hacking activities and perform filtering to input variables from possible hacking attempts. This add-on does not prevent another hacking methods such as DoS (denial of service), hammering, session spoofing, backdoors, port scanning, system exploit, root access, etc. Admin Secure will monitoring suspicious SQL Injection activities as well as illegal administration access for your PHP-Nuke based website.

Features: • Blocking SQL Injection through input requests.
• Prevent illegal admin account access through input requests.
• Blocking external file inclusion for modules.php and index.php files.
• Filtering illegal scripting code from input variables.
• Ensuring admin account session taken from cookie.
• Prevent illegal admin account creation, deletion, and modification.
• Compare admin access validity through "mirrored" database table.
• Any changes on admin accounts (create, edit, delete) require approval.
• E-mail notification. An alert sent along with additional info.
• Scheduled automation tasks.
• Banning System. (Site and Modules)
• Site Activity Logging.
• Flood Protection.
• And more.

Changes On This Version: • Add: Banning System (IP Address)
• Add: Module Access Banning System (IP Address and Site Member)
• Add: Auto Ban for known security breach
• Add: Session Activity Logging
• Add: Flood Protection
• Add: Support older PHP-Nuke database manager (prior 6.5)
• Add: Blocking external file inclusion through index.php
• Add: Checking dangerous user registration fields (name, password, etc)
• Fix: Sending continuous notification when an admin account changed
• Fix: Floatval() issue with Server running PHP below 4.2.0

New Member Joined: Jan 01, 2004 Posts: 3

chatserv wrote:

http://www.ravenphpscripts.com/article-305--0-0.html

Thanks for sending this issue via a newsletter! Otherwise I would have seen it many hours later (maybe days)

greetz,

Bart

Worker Joined: Feb 16, 2004 Posts: 164

Coppermine 1.2x security exploits patches - mentioned in the news ........where can i find the patches........it does not say in the post......it just tells you where the exploits are.

Posted: Sun May 02, 2004 7:31 am

http://www.cpgnuke.com/index.php?name=Forums&file=viewtopic&t=341

Posted: Sun May 02, 2004 10:28 am

thx

Posted: Wed May 05, 2004 4:45 pm

Checking my newsfeeds, I saw a new post from Waraxe here:

http://www.zone-h.org/advisories/read/id=4502

Not sure how valid these are. I've been going down the list and I've not had a problem yet (doesn't mean I won't, just haven't had one yet).

A1 just gave me an error page.
B1 just gave me an error page.
C1 gave me "improper request".
C3 gave me "HTML tags not allowed".

Have not tried A, B, C yet. There is no C2 on the list.

Anybody else tried these? What were your results?

Posted: Wed May 05, 2004 7:30 pm

http://www.nukefixes.com/ftopicp-1689.html#1689

Posted: Wed May 05, 2004 8:10 pm

Here is his sumary
http://www.zone.ee/waraxe//?modname=sa&id=027

This one seems get through the latest patched files. Reveals admin password hash.

Posted: Wed May 05, 2004 8:22 pm

After patching the file that code turns into sid=1 or sid=2

Posted: Wed May 05, 2004 8:25 pm

I can't find this code to change in 6.9

Code:

Find:" 


Code: 


    $result=$db->sql_query("SELECT lid, url, title, description, date, hits, downloadratingsummary, totalvotes, totalcomments, filesize, version, homepage FROM ".$prefix."_downloads_downloads WHERE sid=$sid order by $orderby limit $min,$perpage"); 





Change to: 


Code: 


    $result=$db->sql_query("SELECT lid, url, title, description, date, hits, downloadratingsummary, totalvotes, totalcomments, filesize, version, homepage FROM ".$prefix."_downloads_downloads WHERE sid='$sid' order by $orderby limit $min,$perpage");