Minor security flaw in Fortress Beta 1.20?

Corporal Joined: Oct 07, 2003 Posts: 64

I have been recently fending off sql injection attacks of all different types. Fortress seems to be a very great lil add on for any site. I have been testing different injection exploits on my site and I found a hole in the Fortress add on. If a admin has access to the Authors, they have the ability to inject a query that adds a god admin with SU privs to the site admins.

I dont want to post the expoilt as I do not want it to be used against sites; but if Zhen-Xjell would like to contact me to see an example of the hole, I would gladly demonstrate the exploit so it can be hopefully plugged in future releases?

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

Fortress(tm) does not protect against the injection you speak of. It protects against c-like comments, union, and bad html tags. What you speak of is a valid URL. I have released Admin Tap ver 3 that handles precisely what you are talking about.

That will be integrated into Fortress(tm) in the near future however.

Captain Joined: Feb 21, 2004 Posts: 421

Just so you know, Admin Tap conflicts with NSN Groups. It comes up with the "Nuke Cops slaps you silly" thing when accessing it from the admin menu.

Corporal Joined: Oct 07, 2003 Posts: 64

NSN Groups? Is that the groups intergration in the phpNuke distro 7.2 fromphpNuke.org and where can I get the admin tap?

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

You have to make some adjustments to NSN groups, in the edit users group admin modules php file. Look for all the "Header" calls and comment them out, at that point all is well with Admin Tap.

Nuke Cadet Joined: Feb 20, 2003 Posts: 4

I installed FORTRESS and everything works fine so far.
But why do you ban someone for:
......sid=-1%20ONION%20......
and
......sid=-1%20NOINU%20......
and so on... (there are a lot of 5 letter words u can build with these letters [OdWo5NIbpuU4V2iJT0n] )

But you dont ban someone for:
......sid=-1%20UNION%09......

Replacing a blank (%20) with a tab (%09) is not such a big deal and mysql doesn't care of the difference.

ben

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

That's why its beta software Ben... responses like yours help to make it tighter.

And think about it... how many valid URLs are going to contain:

"NOINU" and other non-sensical words anyway?

In my book, I'd rather be overly cautious than let things actually slip by.

I periodically check my htm file and scan for any false captures, and if any are caught, I remove them from the CSV file. Depending on what the false capture is, it might help to tighten up the code.

However to discuss the problem of:

%09

Lets dissect it. You are trying to use the ampersand command for horizontal tab, it doesn't work in the URI. You would need to use the HEX encoded value for horizontal tab, but that turns out to be a control character and not an actual printable character.

A space, the %20, is a printable character that is allowed within URIs.

The %09, a control character for horizontal tabs is not.

Now I've quickly read the RFC on this:

http://www.faqs.org/rfcs/rfc1738.html

What do you think of this? Is this on target? I'll have to do some more research, but I don't believe the control character for the horizontal tab can be passed via a URL.

Premium Joined: Feb 11, 2003 Posts: 172 Location: USA

Zhen-Xjell wrote:

Fortress(tm) does not protect against the injection you speak of. It protects against c-like comments, union, and bad html tags. What you speak of is a valid URL. I have released Admin Tap ver 3 that handles precisely what you are talking about.

That will be integrated into Fortress(tm) in the near future however.

Do i need to worry about this if i am the only admin on my site?
If i need to install admin tap, where do i get it? ive looked and cant find the download.
thanks

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

Yes you need to grab Admin Tap Ver 3. Its available from the front page news articles.

As to the Horizontal Tab exploit issue, I did some more research and sure enough it can be encoded and passed just as stated.

I've just updated my local copy of Fortress(tm) and it catches the use of either spaces or horizontal tabs.

Which brings up the question of CRLF.

The %09 will be included in the next release.

Thanks for the heads up.

Posted: Tue May 25, 2004 10:45 am

Hello,

I Just wanna make sure i am correct here, Is this link all of Admin Tap?

http://nukecops.com/article-1997-nested-0-0.html Found it by doing a quick 'Search' Through the Stories Archive Wink

Mitch

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

Yes but part of it is missing a backslash, and I believe this is that:

if (preg_match("/\?admin/", "$checkurl")) {
echo "die";
exit;
}

Posted: Tue May 25, 2004 10:53 am

Alrighty Thank you very much Very Happy

Mitch

Posted: Tue May 25, 2004 2:35 pm

ZX

it should be

Code:

if ((preg_match("/\?admin/", "$checkurl")) || (preg_match("/\&admin/", "$checkurl"))) {
echo "die";
exit;
}

that stop blind coding in admin side.

Nuke Cadet Joined: Feb 20, 2003 Posts: 4

Quote:

In my book, I'd rather be overly cautious than let things actually slip by.

OK, but I would like to suggest to set a standard background color for the html table for non union/c-like cases. My "ONION" attack looks a little dark with the darkblue background. Wink

Quote:

The %09 will be included in the next release.
Thanks for the heads up.

you're welcome

Quote:

Which brings up the question of CRLF

Yes I also thought about it and also a single LF could do the trick. But i never tried to pass it thru a URL.

ben

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

@xfsunolesphp: actually I'm not sure why the second component would be needed?

@ben2: Its not supposed to be dark blue, I have noticed that just once on CCSP -- if you check the color background might not be set and its a bug.