| Author |
Message |
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
 Posted:
Thu Feb 05, 2004 6:10 am |
|
Sites are being exposed even as I write this! This is still in 7.0 and 7.1. Check your modules/Reviews/index.php file for the following code. There should be 2 instances.
WHERE id=$id
If you have it, then you MUST modify it to
WHERE id='$id' .
Otherwise your admin passwords can be exposed. They are still encrypted, but depending on how serious someone was to get them, they might! please note that Chatserv's Patches have this fix in them, but FB should have patched his releases by now and hasn't  ! |
| |
|
|
|
Raven
|
| Posted:
Thu Feb 05, 2004 6:13 am |
|
This particular injection depends on MySQL v4.x being installed. V4.x allows for the sql UNION operator. In addition to Chat's fixes, you can add a line of code like this to the top of includes/my_header.phpCode:if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: hack.php/");
|
Of cource hack.php could be any page you want. You could make it email you or whatever.
[Admin edit: mainfile.php is a better place for this code] |
Last edited by Raven on Thu Feb 05, 2004 3:05 pm; edited 1 time in total |
|
|
|
|
chatserv
Member Emeritus
Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico
|
| Posted:
Thu Feb 05, 2004 7:02 am |
|
Or you can add to the top of header.php:
Code:$checktheurl = $_SERVER['REQUEST_URI'];
if (preg_match("/UNION/", "$checktheurl")) {
echo "die";
exit;
}
|
[Admin edit: mainfile.php is a better place for this code] |
| |
|
|
|
Raven
|
| Posted:
Thu Feb 05, 2004 8:00 am |
|
| chatserv wrote: | Or you can add to the top of header.php:
Code:$checktheurl = $_SERVER['REQUEST_URI'];
if (preg_match("/UNION/", "$checktheurl")) {
echo "die";
exit;
}
|
|
This way would kill a domain name that had 'union' in the name as well as 'union' as a parameter, I believe. That's why I opted for the other approach. I also am using this in my .htaccessCode:RewriteCond %{QUERY_STRING} "\%20union\%20select" [NC]
RewriteRule ^.*$ /hack.php/ [NC,L,R]
|
It seems to work in all my testing thus far. |
| |
|
|
|
|
chatserv
|
| Posted:
Thu Feb 05, 2004 8:09 am |
|
Makes sense, in that case i'd make it:
Code:if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) {
echo "die";
exit;
}
|
The only difference is that no file needs to be created. |
| |
|
|
|
|
wraith
Client
Joined: Sep 13, 2003
Posts: 6
|
| Posted:
Thu Feb 05, 2004 10:10 am |
|
I have done "Security Advisory: PHP-Nuke Patched 2.1" by chatserv and SFP also by chatserv, both dated 2004-02-04.
Is this enough or do I need to do more?
And what ?
(running 6. |
_________________
//wraith |
|
|
|
|
luchtzak
New Member
Joined: Jan 01, 2004
Posts: 3
|
| Posted:
Thu Feb 05, 2004 10:13 am |
|
| chatserv wrote: | Makes sense, in that case i'd make it:
Code:if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) {
echo "die";
exit;
}
|
The only difference is that no file needs to be created. |
I applied this small patch, am I kinda safe now with this security-issue?
greetings,
Bart |
| |
|
|
|
|
chatserv
|
| Posted:
Thu Feb 05, 2004 11:31 am |
|
Any of the variants detailed by Raven and myself will stop the attack that has been described in the past few days, of course it is always best to add validation to all variables and not just the ones that get hacked, Raven knows this has been done but we can't do anything about having them incorporated into the dev pack, some have been, with luck all others will be too. |
| |
|
|
|
|
chatserv
|
| Posted:
Thu Feb 05, 2004 11:34 am |
|
| wraith wrote: | I have done "Security Advisory: PHP-Nuke Patched 2.1" by chatserv and SFP also by chatserv, both dated 2004-02-04.
Is this enough or do I need to do more?
And what ?
(running 6. |
The sec-fix patches are designed to either fix bugs or patch vulnerabilities while altering the core files as little as possible, PHP-Nuke Patched on the other hand attempts to patch all likely vulnerabilities and changes the abstraction layer on all files to match the new one, if using PNP you don't need any of the sec-fix patches. |
| |
|
|
|
|
southern
Client
Joined: Jan 29, 2004
Posts: 624
|
| Posted:
Thu Feb 05, 2004 11:40 am |
|
Thanks Raven and chatserv, I put in the WHERE in modules/Reviews/index.php, the .htaccess and the my_header.php fixes and I just get the single word 'die' when I run the test
http://mysite/modules.php?name=Reviews&rop=showcontent&id=-1%20UNION%20SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_authors
How might I change this to a redirect to, say, the FBI site? Also does the %20 part affect the fixes? |
Last edited by southern on Thu Feb 19, 2004 12:02 pm; edited 1 time in total |
|
|
|
|
Raven
|
| Posted:
Thu Feb 05, 2004 11:45 am |
|
Chat's will display 'die'. Mine will redirect to wherever you want. The %20 is very important. It translates to a space. |
| |
|
|
|
|
southern
|
| Posted:
Thu Feb 05, 2004 12:58 pm |
|
I changed the die to another message, but how do I redirect to some other site or have it email me? Is that in the .htaccess or in the my_header? Does the .htaccess conflict with chatserv's 'die', since the former calls a hack.php and the latter doesn't? |
| |
|
|
|
|
Raven
|
| Posted:
Thu Feb 05, 2004 1:31 pm |
|
.htaccess is processed before it ever reaches your web page.
To redirect to another site, just replace hack.php with http://some-other-site.com/somepage.php .
Here is the type of command you could use to email yourself
I will be publishing more detail on the script I use a little later. |
| |
|
|
|
|
southern
|
| Posted:
Thu Feb 05, 2004 1:42 pm |
|
Thanks Raven.  |
| |
|
|
|
|
Raven
|
| Posted:
Thu Feb 05, 2004 3:04 pm |
|
It has been concluded that that mainfile.php is a better place for the code that we suggested in header.php. I have edited the other posts. |
| |
|
|
|
|
southern
|
| Posted:
Thu Feb 05, 2004 3:23 pm |
|
Should the code be removed from my_header or does it matter? |
| |
|
|
|
|
Raven
|
| Posted:
Thu Feb 05, 2004 3:26 pm |
|
It doesn't matter. I am leaving mine in in the event someone finds a mod that uses header and not mainfile. Probably won't happen and it is a few micro seconds of overhead. |
| |
|
|
|
|
blith
Client
Joined: Jul 18, 2003
Posts: 977
|
| Posted:
Thu Feb 05, 2004 3:31 pm |
|
Where at in the mainfile should we put this. thanks. |
| |
|
|
|
|
Raven
|
| Posted:
Thu Feb 05, 2004 3:33 pm |
|
|
|
|
|
southern
|
| Posted:
Thu Feb 05, 2004 3:41 pm |
|
Works in mainfile, too, though the 'scram, miscreant' I have lacks a certain... something... |
| |
|
|
|
|
Raven
|
| Posted:
Thu Feb 05, 2004 3:43 pm |
|
Try the hack on my site and see if you like mine. |
| |
|
|
|
|
southern
|
| Posted:
Thu Feb 05, 2004 3:55 pm |
|
Well, dang... I ne'er knew you felt that way about me. That's a bunch better than mine! |
| |
|
|
|
|
Raven
|
| Posted:
Thu Feb 05, 2004 4:12 pm |
|
Try it again. Your attempt revealed a lookup issue in my code. It should be fixed now. |
| |
|
|
|
|
southern
|
| Posted:
Thu Feb 05, 2004 4:25 pm |
|
OK.. port 4719... but I hope you aren't sending an email to the fbi with my info. |
| |
|
|
|
|
Raven
|
| Posted:
Thu Feb 05, 2004 4:26 pm |
|
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
