Posted: Fri Jun 01, 2007 6:47 pm Post subject: Security: "PHP-Nuke <= 8.0" (SecurityReason)
This deals with three seperate security releases from SecurityReason:
PHP-Nuke <= 8.0 Final (HTTP Referers) Remote SQL Injection Exploit
PHP-Nuke <= 8.0 Final (INSERT) Blind SQL Injection Exploit
PHP-Nuke <= 8.0 Final (INSERT) Remote SQL Injection Exploit
Two are standard injections. One is a brute force attack that hasn't been seen before, but it may be used more often when vulnerabilities are found. A suggested block is included:
While the advisoriy topic suggests that phpNuke 8.0 is not vulnerable, I don't believe it. There is no special protection in 8.0!
Please read and follow the suggested guidelines for your products
Not vulnerable...
UNLESS you are using the Patched 3.3 files and haven't updated since March 2007. There is a major fix in index.php
As new Patched versions haven't been released, only minor fixes to the Patched files have been done and not announced.
If you missed this change, here it is again
Code:
FILE: index.php
FIND
$result = $db->sql_query("INSERT INTO ".$prefix."_referer VALUES (NULL, '".$referer."')");
CHANGE TO
$result = $db->sql_query("INSERT INTO ".$prefix."_referer VALUES (NULL, '".addslashes($referer)."')");
See below for suggested code changes
Latest RavenNuke 2.10.01
is VULNERABLE
Please make this change
Code:
in index.php
FIND
$result = $db->sql_query('INSERT INTO '.$prefix.'_referer VALUES (NULL, \''.$referer.'\')');
CHANGE TO
$result = $db->sql_query('INSERT INTO '.$prefix.'_referer VALUES (NULL, \''.addslashes($referer).'\')');
See below for suggested code changes
----------------------
Suggested code changes
Given the brute force attack could be reused easily and not detected as a standard SQL attack, I suggest several blocks to be included to check for parts of code such as
Code:
SELECT IF
or
ASCII(SUBSTRING(
or
BENCHMARK(
You can add these using Nuke Sentinel's string blocker .. or if not using that, within phpNuke's mainfile.php
Code:
in mainfile.php
FIND
if ((!isset($admin) OR (isset($admin) AND !is_admin($admin))) AND (stristr($postString,
IN,LINE FIND (at end)
) {
REPLACE WITH
OR (stristr($postString,'SELECT IF')) OR (stristr($postString_64,'SELECT IF')) OR (stristr($postString,'ASCII(SUBSTRING(')) OR (stristr($postString_64,'ASCII(SUBSTRING(')) OR (stristr($postString,'BENCHMARK(')) OR (stristr($postString_64,'BENCHMARK(')) ) {
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
![Welcome to Evaders Squadron Coding [ESC]](themes/Onset/images/esc_reflect.png)
