//Encrypt Function
function encrypt($encrypt) {
global $key;
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
$passcrypt = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $encrypt, MCRYPT_MODE_ECB, $iv);
$encode = base64_encode($passcrypt);
return $encode;
}
//Decrypt Function
function decrypt($decrypt) {
global $key;
$decoded = base64_decode($decrypt);
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $decoded, MCRYPT_MODE_ECB, $iv);
return $decrypted;
}
?>
</body>
</html>
I just want to know that is it possible to decode( hack? ) strings without knowing $key value ???
So any ideas for improving security of cookies ??? Better encoding ways?
FreeBee Sergeant
Joined: Aug 26, 2004
Posts: 75
Posted:
Mon Nov 08, 2004 9:39 pm
So you have the libmcrypt 2.4.x installed.
But who doesn't ?
And why shouldn't i be able to decrypt ?
aracnet Nuke Soldier
Joined: Oct 26, 2004
Posts: 30
Posted:
Tue Nov 09, 2004 12:16 am
I could be just and option .
And can you decrypt code without knowing $key? (that was the main question that i wanted to ask?) If so how?
FreeBee Sergeant
Joined: Aug 26, 2004
Posts: 75
Posted:
Tue Nov 09, 2004 10:00 am
If i don't know $key i can't decrypt it indeed.
But why encrypt a cookie if i can get the admin md5 password and decrypt thatone ?
The cookie exploit is in IE5 where you can modify cookies.
In other systems it's hard to crack cookies and login with that unless you're a real hacker and not just a scriptkiddy.
Since the most people that hack php-nuke are scriptkiddies you're concern is not the cookie but all other exploits.
Fixes against all the FB exploits are mentioned everywhere by chatserv, bob marion, raven, djmaze, etc.
Those should have high priority since your prevention could work on your machine but not all servers since it relies on the mccrypt library.
A sidenote is that your solution probably won't get it into php-nuke since FB doesn't listen, but maybe that will change after reading his last news article on phpnuke.org.
aracnet Nuke Soldier
Joined: Oct 26, 2004
Posts: 30
Posted:
Tue Nov 09, 2004 11:46 am
Quote:
A sidenote is that your solution probably won't get it into php-nuke since FB doesn't listen, but maybe that will change after reading his last news article on phpnuke.org.
And this copyright notice will be present on the generated pages footer and in the HTML source as a Metatag called Generator. Those messages are now compliant with the 2(c) section of the GPL license and CAN'T BE REMOVED.
Since the previous versions of the copyright notices were NOT in compliance, if we keep using the <7.6 versions of php-nuke, we do not need to follow any stricter 7.6 copyright requirements.
I say that "chatserv, bob marion, raven, djmaze, etc." should stop fixing the new versions of php-nuke. Let's see what FB/nukelite does with all the security exploits/vulnerabilities that he introduces.
FreeBee Sergeant
Joined: Aug 26, 2004
Posts: 75
Posted:
Tue Nov 09, 2004 8:29 pm
oprime they did, they have their own "rip off" now, but somehow their fixes also work in phpnuke.
As a sidenode when you modify php-nuke you must print an appropriate copyright notice.
When you make a derivative work based on phpnuke you don't BUT you must ask the owner if you may use his code.
So you ask FB if you may use his code so you can modify your phpnuke to get it more suited to your website and ask if he wants credit for it somehow.
If he agrees you can remove the footer.
oprime2001 Lieutenant
Joined: Jul 13, 2003
Posts: 165
Posted:
Tue Nov 09, 2004 9:02 pm
FreeBee wrote:
As a sidenode when you modify php-nuke you must print an appropriate copyright notice.
When you make a derivative work based on phpnuke you don't BUT you must ask the owner if you may use his code.
Doesn't php-nuke being GPL licensed automatically allow me to make modifications and derivatives without FB's consent/notice as long as I:
keep my modifications/derivatives GPL
or, make modifications/derivatives but NOT distribute the modifications/derivatives
FreeBee Sergeant
Joined: Aug 26, 2004
Posts: 75
Posted:
Wed Nov 10, 2004 12:38 am
GPL Version 2 section 2 wrote:
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
A) Do it
B) You must keep it GPL
C) Means your modified program and after 7.5 you are not allowed to remove the copyrights (as mentioned between the brackets)
GPL Version 2 section 10 wrote:
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
Say you build a new CMS and you use parts of FB his code (it doesn't say 5% or 99%) and you name it "Secure-Nuke 1.0" then you ask FB if you may use parts of his code for the new CMS you're building.
But your footer doesn't output an copyright or is not GPL but LGPL instead for example.
If he agrees you may do whatever you wish.
However he never asked people (as mentioned above) for the use of the code.
Now that he made the footer notice fully to the GPL rules he must ask everyone for use of their code. If he doesn't and uses "parts" of code (see above) then he is violating the rules of that other program and can be brought to court.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
