You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 531 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
ATTENTION - PHP-Nuke Security Hole
SecurityProphet writes "Today I have found a big security hole in PHP-Nuke which can easily allow a hacker complete control of almost any PHP-Nuke website.

This is a critical security flaw!

I strongly advise at this time that ALL PHP-NUKE WEBSITES SHOULD DISABLE OFFSITE AVATARS!

That is currently the easiest and fastest protection.

If you currently have this feature enabled your website is at serious risk!

I will not go into detail about how an exploit is possible at this time.

Admin Note: I've expanded on this fix and I am testing it currently here. Thanxs Prophet! - Evaders99 "
Posted on Friday, December 16 @ 12:41:33 CET by VinDSL
 
Related Links
· Computer Cops
· More about Security
· News by VinDSL


Most read story about Security:
PHP-Nuke admin.php security hole - PATCHED

Article Rating
Average Score: 0
Votes: 0

Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad


Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend

Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: ATTENTION - PHP-Nuke Security Hole (Score: 1)
by Prophet on Friday, December 16 @ 13:03:51 CET
(User Info | Send a Message) http://jasonlau.biz
Okay, I have been doing some serious testing on this and found that this vulnerability only affects the offsite avatar linking in the Your_Account module. The forum profile form does not seem to be affected. I am testing this in version 7.8. I'll keep you updated.



Re: ATTENTION - PHP-Nuke Security Hole (Score: 1)
by Prophet on Friday, December 16 @ 15:23:55 CET
(User Info | Send a Message) http://jasonlau.biz
I posted a patch at the following thread .. http://www.nukecops.com/postitle49971-0-0-.html [www.nukecops.com]



Re: ATTENTION - PHP-Nuke Security Hole (Score: 1)
by Prophet on Saturday, December 17 @ 10:57:44 CET
(User Info | Send a Message) http://jasonlau.biz
Sorry for being vague. I don't think it's wise to say exactly what the vulnerability is before a good patch is released. I wasn't able to put much time in it, but I did get a quick patch together. Thanks Evaders99, for cleaning it up.

I've already had a few people ask me if this is something to be that concerned about.
Well, I think it's very important that (if you intend on using offsite avatar linking - many do) you take this seriously and patch the file - especially now that the vulnerability is known. Every two-bit hacker is going to be looking for websites that aren't patched.

Basically, when a user submits a link to an avatar, the link is not validated at all. This allows the person to inject any type of code into your webpage where it is then executed. Not only does this put your website and server at risk, but it also puts your visitors at risk. A hacker can use your website to track your members, harvest cookies, plant cookies, serve popups or spyware, etc.. That is, if the hacker is kind enough to not simply destroy your website instead.

So, yeah, get the patch.



Re: ATTENTION - PHP-Nuke Security Hole (Score: 1)
by rwxrwxrwx on Saturday, December 17 @ 23:00:15 CET
(User Info | Send a Message) http://www.ratboyz.com/
Allowing offsite avatars will introduce a level of insecurity even with your patch. If running apache, the remote server can use the AddType directive to change MIME-type for an extension. So, a server-side script could easily have non-standard endings including image ones. With the ForceType directive, one can match files with or without extensions to a given media type.

Also, many servers recognize .phtml files as containing php code, and .cgi is just one of many possible extensions for cgi scripts.



Re: ATTENTION - PHP-Nuke Security Hole (Score: 1)
by Prophet on Sunday, December 18 @ 09:27:02 CET
(User Info | Send a Message) http://jasonlau.biz
Just so everyone is aware of this, the patch is certainly not a cure-all for this issue. Disabling is not the perfect solution either since Your_Account module does not even check to see if admin has enabled or disabled the feature. A line of code in the address bar could execute the script even if you think you have it disabled.

Here's the best patch for it so far ...

Remove the entire avatarlinksave function and replace it with this ...

function avatarlinksave($avatar) {
include("header.php");
title("Disabled!");
OpenTable();
nav();
CloseTable();
OpenTable();
echo "Error: This feature is disabled!";
CloseTable();
include("footer.php");
}



Re: ATTENTION - PHP-Nuke Security Hole (Score: 1)
by Evaders99 on Monday, December 19 @ 00:16:32 CET
(User Info | Send a Message) http://www.swrebellion.com
Disabling is not the perfect solution either since Your_Account module does not even check to see if admin has enabled or disabled the feature


My additional fix does though. Prophet, can you verify that it does? If there is any way around it, please let me know


Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.086 Seconds - 197 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::