New critical admin vulnerability in all Nukes

Posted: Mon Mar 29, 2004 3:48 pm

This was posted by djmaze at nukecops:

Only registered users can see links on this board! Get registered or login!

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

I was just posting Chatserv's fix here.

In admin.php find this code

Code:

function deleteNotice($id, $table, $op_back) {


    global $db;


    $db->sql_query("DELETE FROM $table WHERE id = '$id'"); 


    Header("Location: admin.php?op=$op_back");


}

and change it to

Code:

function deleteNotice($id) { 


    global $prefix, $db; 


    $id = intval($id); 


    $db->sql_query("DELETE FROM ".$prefix."_reviews_add WHERE id = '$id'"); 


    Header("Location: admin.php?op=reviews"); 


}

and find in the same file:

Code:

case "deleteNotice": 


   deleteNotice($id, $table, $op_back); 


   break;

Change to:

Code:

case "deleteNotice": 


   deleteNotice($id); 


   break;

Posted: Mon Mar 29, 2004 4:38 pm

Raven,

We folk from the Southern Hemisphere are just too quick for you northerners ! Laughing

Ron.....

Posted: Mon Mar 29, 2004 4:50 pm

Rock => Raven <= Lateron

I have the comebacks but in the interest of public relations I will withhold them Laughing

Posted: Mon Mar 29, 2004 7:08 pm

Raven, let the reb have it! ...... Laughing

New Member Joined: Oct 23, 2003 Posts: 24

Excellent

Another thing, I have read this post in the Forum of phpnuke.org, http://www.phpnuke.org/modules.php?name=Forums&file=viewtopic&t=703 an GOD administrator can erase? Question

Posted: Tue Mar 30, 2004 5:24 pm

Ok i tried this fix and i get a parse error on line 125 anyone else have this happen yet i am running version 6.9, any ideas on how to possibly fix the fix.

Posted: Tue Mar 30, 2004 5:39 pm

Well, a parse error usually means a missing ; or ' or " . If you can't find it, please post lines 120 - 130.

Posted: Tue Mar 30, 2004 11:36 pm

Ok Raven here is the error and the code i included line 109-130 just seemed easier at the time.

ps: Like i told Chatserv thanks for all the work that you guys do in the security area for php-nuke.

Code:

Parse error: parse error in /home/public_html/admin.php on line 125

Code:

109 function gfx($random_num) {


110     global $prefix, $db;


111     require("config.php");


112     $datekey = date("F j");


113     $rcode = hexdec(md5($_SERVER[HTTP_USER_AGENT] . $sitekey . $random_num . $datekey));


114     $code = substr($rcode, 2, 6);


115     $image = ImageCreateFromJPEG("images/admin/code_bg.jpg");


116     $text_color = ImageColorAllocate($image, 80, 80, 80);


117     Header("Content-type: image/jpeg");


118     ImageString ($image, 5, 12, 2, $code, $text_color);


119     ImageJPEG($image, '', 75);


120     ImageDestroy($image);


121     die();


122 }


123 


124 function deleteNotice($id) {


125      global $prefix, $db;


126      $id = intval($id);


127      $db->sql_query("DELETE FROM ".$prefix."_reviews_add WHERE id = '$id'");


128      Header("Location: admin.php?op=reviews");


129  }


130

Posted: Tue Mar 30, 2004 11:51 pm

Something else has been added to your admin.php. In the v6.9 default admin.php, your line 109 actually starts on line 106. Try reinstalling the default admin.php and then applying this fix.

Posted: Wed Mar 31, 2004 11:30 am

ok this is what i did i droped a clean admin.php and the one on my site in Differences Examiner and this is what i found.

Code:

if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) {


 die("Illegal Operation");


 }

Clean admin.php

Code:

$sql = "INSERT INTO ".$user_prefix."_users (user_id, username, user_email, user_website, user_avatar, user_regdate, user_password, theme, commentmax, user_lang, user_dateformat) VALUES (NULL, '$name', '$email', '$url', '$user_avatar', '$user_regdate', '$pwd', '$Default_Theme', '$commentlimit', 'english', 'D M d, Y g:i a')";

admin.php on website

Code:

$sql = "INSERT INTO ".$user_prefix."_users (user_id, username, user_email, user_website, user_avatar, user_regdate, user_password, theme, commentmax, user_level, user_lang, user_dateformat) VALUES (NULL, '$name', '$email', '$url', '$user_avatar', '$user_regdate', '$pwd', '$Default_Theme', '$commentlimit', '2',  'english', 'D M d, Y g:i a')";

now the top code i include from your site why the other 2 lines are different i dont really know i have a few mods like nsn groups and such so it could be from any mod i installed i wish there was a way to tell what changes what or what lines were modified by newly installed mods.

Posted: Wed Mar 31, 2004 1:44 pm

Please zip your admin.php and email it to me. Thanks.

Posted: Wed Mar 31, 2004 5:40 pm

I don't know what editor you are using but it is adding some weird characters in all the code you added. That's your problem. Use an editor like Textpad and try it again. Here is what it looks like and what is causing your errors

Code:

function deleteNotice($id) {


 Ê Ê global $prefix, $db;


 Ê Ê $id = intval($id);


 Ê Ê $db->sql_query("DELETE FROM ".$prefix."_reviews_add WHERE id = '$id'");


 Ê Ê Header("Location: admin.php?op=reviews");


 }

and also

Code:

   case "deleteNotice":


 Ê ÊdeleteNotice($id);


 Ê Êbreak;

Posted: Wed Mar 31, 2004 11:23 pm

Thanks for all the help raven it now works.

Posted: Mon Apr 26, 2004 11:34 am

Some additional protection code, thought i'd post it here since it deals with admin.php as well. This will stop two forms of a hack that attempts to add an admin account for the hacker either by using a fake image or by inserting the code:

After admin.php's file credits add the following:

Code:

if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) {


die("Illegal Operation");


}

Worker Joined: Aug 28, 2003 Posts: 227

Does Raven's hackattempt stop this Chatserv?

I get confused as to what I should be adding where.

Posted: Mon Apr 26, 2004 9:50 pm

No. Mine is meant and directed at the UNION hack attempts. However, you can direct Chat's snippet to my hack script to get the IP information instead of just die().

Posted: Mon Apr 26, 2004 9:55 pm

Code:

if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) header("Location: hackattempt.php");

Posted: Mon Apr 26, 2004 9:56 pm

Ugh. Is there anything I can do to manage a nice organized list of what to patch and what covers what and what isn't in what and when?

I've been gone for a few weeks and there is this new patch buried in an old post. Just thinking of a way to utilize Chatserv and your talents best without having to keep track of things 24x7. Smile

Posted: Mon Apr 26, 2004 10:02 pm

Money always works for me. How about you Chat :LOL:

Posted: Mon Apr 26, 2004 10:10 pm

lol. true! and thankfully my giving record speaks for itself - you guys are cheap and easy. Wink

Seriously I was thinking more of a single reference point.

In this case I think it would be something like

??/??/?? 2.2 - Chatserv pack here (link)
??/??/?? 2.3 - Chatserv pack here (link)
04/??/04 - admin.php patch here (link)
05/01/04 - 2.4 - Chatserv pack here - includes all post 2.3 fixes.

and preferably the link for the source code does have 20 replies in it. That gets to be annoying reading and what if there is a fix to the original code 21 replies later?

I'd be happy to help with that - it at least gives me something to contribute. And maybe I'll shaddup.

Posted: Mon Apr 26, 2004 10:16 pm

Ditto lol

Posted: Mon Apr 26, 2004 10:34 pm

Quote:

you guys are cheap and easy.

That sure does not help my messed up reputation. Laughing