Fortress does it work?

Posted: Thu Apr 29, 2004 7:36 am

I don't know if it was the UT code or Fortress but I tried it on a test site and I couldn't post any News, Comments at all.

Anyone else seeing this? I haven't tried the original UT4 code by itself I guess I will try that next.

Posted: Thu Apr 29, 2004 7:41 am

Well I went and checked the thread at NC it isn't just me Razz

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Nope. It's buggy which is what we've come to expect from NC anymore. All I know is, is that I see nothing but other people's 'technology' in it. Even my hackalert script has been doing that for months. With the exception of the base64 code which still doesn't have an exploit that I'm aware of so I don't know what all the broohaha is about that. My hackalert script not only sends an email but it does the IP lookup for whois information. Another big claim is how the attacker won't even know he's been tracked. And that's important - why? Once again, my script will do that. Just comment out the code that displays the CAUGHT screen. Here's something else to consider. The code is stand-alone and read the license carefully. You can't even modify the code for your own purposes w/o written permission. P-L-E-A-S-E. He's done nothing but take other people's established and published code and restructured it. He's given it a name. And he's had to publish 2 fixes since it was announced late yesterday. The first was w/i minutes of the release. Oh well, let the lemmings follow. I actually think he got tired of even his own 'support' staff recommending my and chat's scripts in addition and/or instead of NC's. His ego couldn't handle it Laughing

Posted: Thu Apr 29, 2004 9:13 am

Quote:

With the exception of the base64 code which still doesn't have an exploit that I'm aware of so I don't know what all the broohaha is about that.

We had a couple of sites that were hacked where the hackers left a nice little message explaining why Hack Alert did not work to protect them. The idiots actually told us how they did it Laughing

by informing us that we (at NC) were 'stupid' because they could just use the base64 code to do the same thing. I laughed at the irony of them calling us stupid.

Quote:

You can't even modify the code for your own purposes w/o written permission. P-L-E-A-S-E. He's done nothing but take other people's established and published code and restructured it. He's given it a name. And he's had to publish 2 fixes since it was announced late yesterday. The first was w/i minutes of the release. Oh well, let the lemmings follow.

You know what really gets me? The idea that NC is a free support site to the community. I don't know how much money any of you actually receive for housing these web sites. I know that with the bandwidth expenses I incur on smaller sites that actually do well, the expense has got to be up there. I commend both of you for giving out of pocket to better the community.

Zx has on more than one occasion, as have most people who are extremely active in the Open Source community, been burned by people taking an idea, a piece of code, or the entire thing and removed all trace of authorship. It sucks, and people react in different ways. Couple the expense, the frustration of feeling as though you have been taken advantage of, and add to it all of the HitsFan

when NC was up and down for two weeks and you have the current state of affairs.

I was blown away by people who complained the loudest in the forums and yet were not offering any constructive or realistic suggestions on how to fix the problem.

But the thing that gets me even more is the fact that the community is now being dragged through this whole state of affairs.

So here is my open plea to both of you, which I will post at NC as well.

Raven: When I first got into Nuke, you were the one person at NC I could rely on for any question I had, whether you knew it or not. Your code, your experience, and your straight answers propelled me forward by leaps and bounds, and I respected you (and still do) in the community for it.

ZX: You provided the single best central location for me to find the answer to any question I had, and to date still do. Like Raven, your code, your experience, and straight answers have also gotten me to where I am, and I have a great deal of respect for you as well.

You guys are pillars in the nuke community (add Chatserv and a couple of others in there as well - not trying to leave anyone out) and I personally am very grateful for all you both have done.

I honestly don't give a care who writes better code, who has the bigger ego, or whose stuff is the best. I found it really intersting that among some of the NC power users out there, the hybrid code I put together from the both of you was accepted so readily as the code of choice.

PLEASE put this behind you. PLEASE carry on any grievances privately.
PLEASE quit publicly addressing/accusing/bashing/ whatever you want to call it/ one another. (No arguments on this - you both are guilty of at least one of those.) Its an election year. We will get PLENTY of that very soon.

For the sake of the community, for the sake of my sanity, for the sake of the code.

You can't see it, but you guys are a lot better working together (even if working individually together for the community) than you are alone.

Just my ridiculous thoughts.

-sting

Posted: Thu Apr 29, 2004 9:20 am

Sting wrote:

.... I don't know how much money any of you actually receive for housing these web sites...

I receive nothing and have always incurred the full cost. There are some who have given over the time that I have been here and I am thankful for all the support whether monetary or otherwise.

Posted: Thu Apr 29, 2004 2:24 pm

Anyway I gave up on it I had others places to be this am.

But anyway what I saw was 96-98% cpu hang so I removed it to allow me to get on to other things. Restarted Apache after removing the code and all was well again.

I was planning on testing the base 64 code initially but I'll leave it until there is a more stable release to test with.

Posted: Thu Apr 29, 2004 5:45 pm

I just downloaded the latest beta (Here I go beta testing again)

Results
It loads
it misses JTIwVU5JT04lMjA=
So either its broke or a myth that it catches base 64 encoding.

Posted: Thu Apr 29, 2004 5:47 pm

I should have copyrighted the $loc variable name. He didn't even bother to change it! Oh I know - that's just a coincidence. Any similarity to any code, dead or living, is strictly coincidence. But, as he said, he never cared to look at my code Laughing

Posted: Thu Apr 29, 2004 7:20 pm

Funniest part is it don't work period this should never been released until it was working. Instead it was harolded as a great advance in internet security since the firewall. Pish-Posh shame on them. They fixed one bug with the title but it still puckers up and blows wind.

I'm really trying to be neutral and objective when testing this but OMG its a blunder from the get go. Take the extra 24 hours and fix the freakin thing instead of releasing another broken POS beta.

Posted: Fri Apr 30, 2004 1:57 am

I have a solution for base64 exploit or i think so. waraxe who discovered this base64 exploit are writed to me a few days ago pm and asked are you like to secure your site and and posted code in pm:
Open your minefile.php and find:

Code:

if (!ini_get("register_globals")) { 


import_request_variables('GPC'); 


}

Add after below code:

Code:

//------------------------------------------------------------ 


// Smashing up the BroadCastMessage security bug... 


if(isset($p_msg)) 


{ 


unset($p_msg); 


} 


//############################################################ 


//-- Cookie sanitize by Waraxe ------------------------------- 


if(isset($admin)) 


{ 


$admin = base64_decode($admin); 


$admin = addslashes($admin); 


$admin = base64_encode($admin); 


} 





if(isset($user)) 


{ 


$user = base64_decode($user); 


$user = addslashes($user); 


$user = base64_encode($user); 


} 


//############################################################

And he' s comment:
This code should fix this base64 problem (single quotes from base64 string). So you have now 100% secured site for base64 exploit.

I don´t realy know are this code help or not, but i hope it help. Wink

Posted: Fri Apr 30, 2004 6:29 am

Maku,

Did he send you the exploit itself? I need to see how the exploit is used. When I researched it, I was unable to reproduce anything. Please PM me the exploit. Thanks.

Posted: Fri Apr 30, 2004 6:43 am

No he don't writed this part to me and i asked how i can test it or how i can be sure this code prodect me and he says this code work 100% and prodect you and base64 problems are history now.....thats it.

Posted: Fri Apr 30, 2004 6:47 am

I understand about the cleansing code and that's been published before. Please ask him to either send you the exploit info or contact me . Thanks!

Posted: Fri Apr 30, 2004 6:51 am

Thanks for sharing Maku I hadn't seen this yet. Seems simple and effective. Common sense prevails. I wonder if $cookie should also be gleamed into that?
$cookie[0] = intval($cookie[0]);
$cookie[1] = check_html($cookie[1], nohtml);
This would protect a little in third party modules where we have no control over variable sanitization. Though I believe chatserv has provided simular patching in the core and default modules against this.

Comments?

Posted: Fri Apr 30, 2004 7:45 am

Take a look at Nuke Patched's mainfile.php, i had suggested this one back in April 14, guess it had merit after all.

http://www.nukefixes.com/ftopict-557.html

http://www.ravenphpscripts.com/postt1333.html#8627

Posted: Fri Apr 30, 2004 8:05 am

So we can look for 2.3b for the patched series soon? wink*

Posted: Fri Apr 30, 2004 8:11 am

Actually all my tests have been on 2.3 april 14 so I those fixes are there already I imagine? I never got around to testing the base 64 code after that initial post I tried the exploit posted and it failed guess thas why huh?

Posted: Fri Apr 30, 2004 8:25 am

2.3 was updated with this code and a fix or 2 on the same day

Posted: Fri Apr 30, 2004 8:38 am

Ok crystal clear.

Summary if you are running CS patched files 2.3 April 14 release. Your protected against the base 64 exploit. If your not running the patched series you should consider doing so for this and other reasons.

Which goes back to the topic of the UNION exploits if you are running the files above you need only to replace the UNION code at the top of the mainfile.php to reflect the comments /* exploit changes posted here:
http://www.ravenphpscripts.com/postt1396.html#9170

Leave Fortress alone until they have all the buggies worked out at least.

Posted: Fri Apr 30, 2004 8:54 am

On that note if you are using the latest version of PHP-Nuke Patched do what i, combine it with HackAlert, simply open mainfile.php and find:

Code:

$checkdaurl = preg_replace("#(/\*.*\*/)#", "", $_SERVER["QUERY_STRING"]); //Courtesy of http://www.esnider.net 


if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: index.php");

Change to:

Code:

$checkdaurl = preg_replace("#(/\*.*\*/)#", "", $_SERVER["QUERY_STRING"]); //Courtesy of http://www.esnider.net 


if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: hackattempt.php?$loc");

Posted: Fri Apr 30, 2004 9:08 am

roflmao so the front page should really read
Updated 4/28/2004
instead of
Updated 4/1/2004

Posted: Fri Apr 30, 2004 9:20 am

Good point, i also think Raven needs to re-download them for the alternative links.

Posted: Fri Apr 30, 2004 9:56 am

I just added the alternate links this week so do they have everything they need or do i really need to redownload them?

Posted: Fri Apr 30, 2004 10:07 am

Yes, i believe i applied some fix afterwards. Either way just to be sure...

Posted: Fri Apr 30, 2004 10:10 am

Actually let me re-upload them as my local copy may be newer than the one on the server.