| Author |
Message |
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
 Posted:
Tue Jun 08, 2004 6:47 am |
|
We are aware that some new exploits/advisories have been issued concerning phpnuke and we are looking into those reports right now. If we find that they are legitimate, we will determine a solution and will make it/them available ASAP. |
| |
|
|
|
Scribbles
Client
Joined: Feb 09, 2004
Posts: 8
|
| Posted:
Tue Jun 08, 2004 7:36 pm |
|
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Fri Oct 08, 2004 6:36 pm |
|
Are we talking about the possible new exploits to the new nuke 7.5 Admin area?
If so, it is nice to know that FB is still releasing insecure code for others to fix.
I don't want to get into a flaming war here (not today anyway I have a headache) but can anyone tell me if FB actually does any vulnerability checking before releasing new code or updated code.
Looking forward to any posted fixes so I can breath a sigh of relief. |
| |
|
|
|
Raven
|
| Posted:
Fri Oct 08, 2004 8:43 pm |
|
The original post is from June 8, 2004. Those items were fixed immediately. As a matter of fact, we had some of them fixed before they ever went public as they were variations on a theme.  |
| |
|
|
|
|
hozay
New Member
Joined: Dec 05, 2004
Posts: 19
|
| Posted:
Sun Dec 12, 2004 1:44 am |
|
LOL thats the cutest.. funiest little emoticon/avatar i have ever seen lol
good luck and from all the php users... thnx for looking out for us   |
| |
|
|
|
|
j_felosi
Regular
Joined: Oct 17, 2005
Posts: 51
|
| Posted:
Sun Oct 23, 2005 6:07 pm |
|
phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit
http://zone-h.org/en/advisories/read/id=8304/
There is a new advisory for phpbb 2.017 I do not know if this affects the bb2nuke. Also most people have remote avatar uploading disabled. might be worth a look see.
Sorry if this is the wrong place to post this. I had seen this thread and figured it was for security advisories |
| |
|
|
|
|
64bitguy
The Mouse Is Extension Of Arm
Joined: Mar 06, 2004
Posts: 1164
|
| Posted:
Sun Oct 23, 2005 9:47 pm |
|
This has been a known problem for a great deal of time. The fact is, webmasters should have that feature turned off for a variety of reasons, but the major reason being vulnerabilities.
Simply go to Forum Admin/General Configuration and disable "Enable remote avatars" to solve this problem.
If people want to have an avatar, they can pick one from the gallary or upload one. You shouldn't need to remote feed one in the first place. |
_________________
Steph Benoit
100% Section 508 and W3C HTML5 and CSS Compliant (Truly) Code, because I love compliance. |
|
|
|
|
j_felosi
|
| Posted:
Mon Oct 24, 2005 12:26 am |
|
Yes, Ive always had them disabled cause i provide a huge archive and if someone wanted one of their own I had them email it to me, part of the reason for the huge galleries. Well, I think in that report it said that phpbb will be upgrading to 2.018 soon. If its just over that small vulnerabilty then I wouldnt even bother upgrading. |
| |
|
|
|
|
VinDSL
Life Cycles Becoming CPU Cycles
Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com
|
| Posted:
Mon Oct 24, 2005 3:27 am |
|
| 64bitguy wrote: | | If people want to have an avatar, they can... upload one... |
It's 2:30AM here, and my eyes are getting tired, so maybe I'm misreading the advisory, but this seems to be a *new* XSS-like exploit involving HTML code masqerading as avatars being uploaded to phpBB web boards (all versions), with visitors running Internet Explorer (all versions) as the intended victims. It could be used to steal cookie info and send it to a remote location.
http://seclists.org/lists/fulldisclosure/2005/Oct/0494.html
That's a new one to me... Am I reading this all wrong? |
_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. |
|
 |
|
64bitguy
|
| Posted:
Mon Oct 24, 2005 10:10 am |
|
No, it is an OLD exploit relating to people running a REMOTE avatar. Hence the XSS like vulnerability. Uploading the file from a "browsed" local path is totally different and is NOT exposed to any vulnerability because you can't browse an http address.
Again, if you disable remote loading, there is no problem |
| |
|
|
|
|
j_felosi
|
| Posted:
Mon Oct 24, 2005 11:08 am |
|
I seen there is a new one for nuke 7.8 too now, it says for Nuke 7.8 with all security fixes and patches, probably earlier. Glad I listened to you and went with 7.6 The exploit has union strings all in it so Im sure sentinel will take care of it
http://www.milw0rm.com/id.php?id=1270
or
http://forum.zone-h.org/viewtopic.php?t=4174
I think the whole nuke community is tired of hearing about 7.7-7.9
I have tried the 7.9 and 7.8 and I like my 7.6 the best, I can go to bed and rest easier at night with it.
It seems to me a lot of people dont know about the admin ip lock that was released at platinumods. I took the one from evo and used it for ranges. Its a big help and a big assurance that even if your site was comprimised nothing could be done because when they got the admin page they would just see an inavlid ip message. Its a real easy mod to add and I use it on modules/forums/admin/pagestart.php, admin.php, and your account/admin.php I posted it on techno's site for him to look at and maybe make better instructions..lol
Here it is
http://www.platinummods.com/modules.php?name=Forums&file=viewtopic&t=1662
Ive shared this with a lot of friends, it may be a good download to add. |
| |
|
|
|
|
64bitguy
|
| Posted:
Mon Oct 24, 2005 12:21 pm |
|
The exploit that you describe is protected by NukeSentinel. Several people have been trying to run that exact exploit against my 7.8 after-patched domain to no avail.
Also, I should point out that while I really like the Platinummods IP address validation function, if you have NukeSentinel's second layer of password protection on your admin file (CGI Authentication) you shouldn't really need another layer of protection, but I guess you can never be too careful now can you? |
| |
|
|
|
|
j_felosi
|
| Posted:
Mon Oct 24, 2005 12:56 pm |
|
No I have the http auth, always had problems from the cgi auth plus I thought it might messup my ip deny on cpanel. But I think with the http auth with one real good password and then your admin with a different real good password, and then the ip lock. I feel safe. Im a strictler for passwords Ive attempted to crack my hash numerous times but none of the onlie ones would. And yes i love that about nuke sentinel, But that was another reason I ditched the platinum over an old hash exposijng exploit because I look at nukesentinel as a protection against unknown threats and against people who try so it will ban them. I feel better knowing that the nuke itself is protected against all known exploits. |
| |
|
|
|
|
VinDSL
|
| Posted:
Mon Oct 24, 2005 6:48 pm |
|
| 64bitguy wrote: | | No, it is an OLD exploit relating to people running a REMOTE avatar. Hence the XSS like vulnerability. Uploading the file from a "browsed" local path is totally different and is NOT exposed to any vulnerability... |
Hrm...
I guess this is what confuses me...
The way I'm reading it, the perp has to UPLOAD the avatar to phpBB, but it doesn't work if they do it from their local machine (as you said). However, it DOES work if they UPLOAD it to phpBB from a remote HTTP server.
It's a subtle difference, but still requires uploading an avatar to phpBB, to my way of understanding... |
| |
|
|
|
|
64bitguy
|
| Posted:
Tue Oct 25, 2005 12:40 am |
|
Well, again.. that is why I said to disable that function which eliminates the vulnerability. |
| |
|
|
|
|
izone
Involved
Joined: Sep 07, 2004
Posts: 354
Location: Sweden
|
| Posted:
Tue Oct 25, 2005 2:38 pm |
|
Talking about Exploit, I have seen this one against Weblinks and Downloads modules today. It will be great if you could say how to fix this one.
http://securityfocus.com/bid/15178/exploit
or how worried we should be about it? |
| |
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Tue Oct 25, 2005 3:09 pm |
|
I cannot exploit it in the latest Patched files. It looks fixed to me.
SecurityFocus really should put a link to the Patched files. I tried to email them once, but all I get was spam back. |
_________________
- Only registered users can see links on this board! Get registered or login! -
Need help? Only registered users can see links on this board! Get registered or login! |
|
|
|
|
j_felosi
|
| Posted:
Tue Oct 25, 2005 6:58 pm |
|
Im moderator at zone-h forum and publish news sometimes there. I have not linked the patch files for the new 7.8 exploit yet cause they say that its actually for 7.8 with all fixes. So in the matter of 7.7-7.9 exploits I just advise people to go to the patched 7.6 with NukeSentinel. If you get some free time Evaders, come check out zone-h.org in the forums where the public exploits are posted and perhaps leave a link or two to some fixes. I can also post the link to the fixes in the advisory section. |
| |
|
|
|
|
evaders99
|
| Posted:
Tue Oct 25, 2005 8:30 pm |
|
|
|
|
|
j_felosi
|
| Posted:
Tue Oct 25, 2005 9:46 pm |
|
http://forum.zone-h.org/index.php
Ill ask the head admin if its ok to go ahead and post the fixes in the advisories but for now Ill post them in the forums. We get a lot of nuke users coming through but lately most have abandoned it. truth is sites like ours and securityfocus give nuke such a bad name, they tell people dont use it no matter what. And now you got people writing the exploits for the patched 7.7.-7.9 and then that looks even worse cause people think that since those are latter versions they must be more secure than the older ones. We know that is wrong but most people dont. |
| |
|
|
|
|
evaders99
|
| Posted:
Wed Oct 26, 2005 1:27 pm |
|
Agreed - part of the problem is that people don't update their sites as they should. Most people only bother after they've been hacked.. a reactive response, rather than updating as a proactive measure.
Second, the Patched files need to be updated constantly, reliably. And needs to draw a bigger user base as the first thing to do after installing phpNuke. I'm trying some things on my site to draw attention to the changes, and get proper patches distributed. It updates packages from the CVS every 24 hrs, so people will always get the latest download.
http://evaders.swrebellion.com
Do people need these individual fixes as code? Or can we just point them to the Patched files? |
| |
|
|
|
|
j_felosi
|
| Posted:
Wed Oct 26, 2005 2:33 pm |
|
Ill just post a link or the code, it dont matter, we have already started this with linux, phpmyadmin, other cms, so might as well do all we can for nuke. I want to destroy the illusion of phpnuke being so insecure which I have in fact shown my 7.6 site is secure, but among the security community you say phpnuke and people automatically says dont do nuke, its so bad and all that. Like I said before people think cause there is so many exploits out for patched 7.8-.7.9 that all nuke must be even worse cause these are the latest versions. People have to realize you can have a secure nuke site but I always reccomend chatserv's 7.6, the one here with the patch files already done. |
| |
|
|
|
|
jaiib
New Member
Joined: Apr 06, 2007
Posts: 11
Location: India
|
| Posted:
Wed Nov 21, 2007 8:51 am |
|
Dear Sir,
Our website http://www.jaiib.org/index.php is hacked by some one,
They have change my admin password also,
How can I get our site as previous seen,
Plz urgent guide me,
how can I remove there banner in front of our website
They Have Written that Text in Our JAIIB SITE
*********************************************************
.....:.:.:.:::: :: ::N:::E:::::::.:.:.:......
Pwned
Pnwed By Lucky & Brett
!!..Secure Your s**t..!!
Server security = %0
Secure Hosting = www.DataTech-Hosting.com
*********************************************************
Guide me How can I remove this and start as previous seen site
Thanks
http://www.jaiib.org/index.php |
_________________
Best Regards
JAIIB TEAM |
|
|
|
|
Raven
|
| Posted:
Wed Nov 21, 2007 9:16 am |
|
Use phpMyAdmin and edit the CONFIG table. Look for the 3 footer fields. That's normally where they put this crap. Then, edit your USERS table and change your password. Be sure to select the MD5 encryption from the select box right beside where you type in your new password before saving. Then edit your AUTHORS table. Delete any admin record which is in there that doesn't belong. Then change your password the same way as you did your user name password. That should allow you to restore your site but it does nothing to stop them from doing it again unless they just happened to guess your id and password which is possible but unlikely.
If you do not have NukeSentinel(tm) installed I'd recommend getting it installed immediately. If you do not know how they broke in to your site then you will need to scour over your server access and error logs to try to figure it out.
What version of nuke are you using?
Is it up to the current patch level of 3.2 or 3.3?
What third party add-ons are you using? |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
