 |
|
 |
|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 724 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Advisory: PHP-Nuke UNION SQL Injections |
|
 The Nuke Cops Beta 3 release of Union Tap has so far been tested by PHP-Nuke Admins with great success. This code patches all SQL Injections based on "UNION" that are delivered via a URL Query String. If you are running MySQL 4 or higher, this code is a must to protect your precious portal investment. It resides here and is about to go gold. Why does this patch matter so much from all the rest?
Using the magic of simple regular expressions (regex), it catches any instance of the word "Union" no matter its case-sensitive appeal in both plaintext and Base64. Union Tap is not just the first patch to catch Base64 Union Injection attempts, but its also the first in decoding raw URLs catching percentage code.
False positives are all but eliminated. Security is about adding the best layered protection possible, well if you must run Mysql 4, Union Tap provides that extra deep security that is needed.
Union Tap also takes another step beyond traditional security patches. It takes into account the possibility that your site uses REGISTER_GLOBALS. If your portal uses this PHP Setting, Union Tap protects you from possible variable injections.
This leaves us with a multi-faceted injection stopped patch: Union Tap.
Here is the code:
//Union Tap
//Copyright Zhen-Xjell 2004 http://nukecops.com
//Beta 3 Code to prevent UNION SQL Injections
unset($matches);
unset($loc);
if (preg_match("/([OdWo5NIbpuU4V2iJT0n]{5}) /", rawurldecode($loc=$_SERVER["QUERY_STRING"]), $matches)) {
die("YOU ARE SLAPPED BY <a href=\"http://nukecops.com\">NUKECOPS</a> BY USING '$matches[1]' INSIDE '$loc'.");
}
|
|
Posted on Tuesday, April 27 @ 14:01:24 CEST by Zhen-Xjell |
|
|
|
|
| |
|
Average Score: 2.43
Votes: 16
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Advisory: PHP-Nuke UNION SQL Injections (Score: 1)
by inkydink1234 on Tuesday, April 27 @ 16:07:57 CEST
(User Info | Send a Message) | Your arrogance in announcing your 'fixes' is disgraceful. This one tops them all, for sure. Especially in light of the fact that it doesn't "it catches any instance of the word "Union" no matter its case-sensitive appeal in both plaintext". I'll get to that in a minute. I have yet to find anywhere else on the Internet a site that offers support with a webmaster that draws attention to himself the way that you do. Regardless of what 'camp' someone is in, these self-exalting announcements are terrible. Chatserv pretty much keeps all nuke sites security clean with his fixes and patches. Never once have I ever seen any attempt to exalt himself. But you know what? Others respect him without self-exaltation. And because his fixes work without several iterations. There are many others who also do their service for the community and let their work speak for them.
Now, onto the proof. Your miracle fix does absolutely nothing to trap the U/**/NION exploit. I have tested all manner of iterations and it sails right past. And encoding it makes it even more fun :).
Do us a favor and just post your code like everyone else and let it stand on its merit. BTW, someone else's UNION patch works. That's how I discovered that yours doesn't. |
| | | | | |
|
