| Author |
Message |
zanis
Lieutenant
Joined: Aug 21, 2003
Posts: 213
|
 Posted:
Thu Nov 13, 2003 2:38 pm |
  |
Hi all,
I downloaded the security fixpack http://www.phpnuke.org/modules.php?name=News&file=article&sid=6305 6.6 6.9 zip file (I run Nuke 6.7) and installed the updated files. All looks good however the security code text box when logging in does not seem to work anymore for the admin.php log in. Please note that any numbers or text can be entered in and accepted. However the security code still works for members log in.
My site is running on Linux and I must admit I did not test this feature after I moved from a Unix box. Maybe the security code does not work on Linux??But then it works for members login -HELP!!
Best Regards
Zanis |
|
|
   |
|
IACOJ
Major
Joined: Jan 15, 2003
Posts: 1269
Location: USA
|
| Posted:
Thu Nov 13, 2003 3:55 pm |
|
|
|
|
zanis
Lieutenant
Joined: Aug 21, 2003
Posts: 213
|
| Posted:
Thu Nov 13, 2003 4:13 pm |
|
Hi ,
I have downloaded the patch zip file for the downloads and weblinks. However looking at the thread you attached I still cannot work out what I have to add to admin.php to fix this security hole and where in the file - could you please paste the approved fix within this thread or direct me to the fix. The other thread had five pages of improvements whcih I must admit I got lost with.
I also had to change an admin name with spaces since I kept getting begone errors.
And just to confirm does the zip file you mentioned that contains the two index files for web links and downloads stop the hack security hole in the admin.php?
Please help!
Best regards
zanis |
|
|
|
|
IACOJ
Major
Joined: Jan 15, 2003
Posts: 1269
Location: USA
|
| Posted:
Thu Nov 13, 2003 4:46 pm |
|
Hi you can just grab the admin.php from the CVS. There is a link to the CVS at the top of the screen  |
_________________
http://castlecops.com
<b>Microsoft MVP Windows-Security 2005</b> <img src="http://castlecops.com/zx/Paul/mvp.gif"> |
|
|
|
zanis
Lieutenant
Joined: Aug 21, 2003
Posts: 213
|
| Posted:
Thu Nov 13, 2003 4:51 pm |
|
Now thats what I called a great idea!!!
Best regards
zanis |
|
|
|
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Thu Nov 13, 2003 4:59 pm |
|
We live to serve...  Well, when we have the time and we're not busy. |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
  |
|
zanis
Lieutenant
Joined: Aug 21, 2003
Posts: 213
|
| Posted:
Thu Nov 13, 2003 5:02 pm |
|
Well I must say the moderators on this board ROCK !!!
Well done!
Best Regards
Zanis |
|
|
|
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Thu Nov 13, 2003 5:03 pm |
|
Thanks... sometimes when we aren't too busy and this stuff comes out we hit it fast and hard. Remember the admin.php? That was released quick. This one is taking time, really, because we haven't secured a working exploit yet. |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
|
|
zanis
Lieutenant
Joined: Aug 21, 2003
Posts: 213
|
| Posted:
Thu Nov 13, 2003 5:06 pm |
|
Hmmm...interesting in that the security code for my nuke 6.7 web site still does not check the security code - maybe its linux?
Best Regards
Zanis |
|
|
|
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Thu Nov 13, 2003 5:08 pm |
|
Well, lets start another thread on that topic. |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
|
|
zanis
Lieutenant
Joined: Aug 21, 2003
Posts: 213
|
| Posted:
Thu Nov 13, 2003 5:14 pm |
|
|
|
|
IACOJ
Major
Joined: Jan 15, 2003
Posts: 1269
Location: USA
|
| Posted:
Fri Nov 14, 2003 5:38 am |
|
Hi everyone,
There has been a patch released for the SQL injection. As Zhen previously pointed out, there have been some issues reproducing the exploit. So the patch is based on what we do know.
Anyone who has downloaded the updated files from the CVS since Oct 31, 03, should use this patch. Anyone using bb 2.0.6 should replace functions.php with the functions.php in the zip
The CVS is NOT current with this fix, so please use the zip file. It will be updated later on today.
The upgradezip to change the forum from 2.0.5 to 2.0.6 has also been updated with the corrected file.
The news article I posted states it is for the bundle, however anyone using 2.0.6 can overwrite their existing 2.0.6 files without fear of it breaking their site. Just make sure you maintain the dir structure.
http://nukecops.com/downloads-file-185-details-14-11-03_Patch_NC_Bundle_forum.html |
_________________
http://castlecops.com
<b>Microsoft MVP Windows-Security 2005</b> <img src="http://castlecops.com/zx/Paul/mvp.gif"> |
|
|
|
zanis
Lieutenant
Joined: Aug 21, 2003
Posts: 213
|
| Posted:
Fri Nov 14, 2003 1:55 pm |
|
Hi,
For people who have PHPNuke 6.7 and maybe lower who also run the forum that came with the Nuke code - from phpnuke.org
Forum specs
| Code: |
Powered by phpBB 2.0.4 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 |
Is there any fix for us in regards to the SQL Injection issues? I'm sorry but my understanding of your statement is that you have provided a fix for the 2.0.5 NukeCops version of the forum. What does NC Bundle mean?
Should we upgrade PHPNuke to say 6.9 so we can use your patches?
I personally have PHPNuke 6.7 with the most recent fixpacks being
PHP-Nuke SQL Injection Vulnerability Fix
http://www.phpnuke.org/modules.php?name=News&file=article&sid=6305
AND
sp-10-9-03.zip which contained to index.php files one for web_links the other for down_loads.
I think alot of us are getting confused as to what security patches need to be applied to what versions of the forums and nuke.
Please help us!
Best Regards
Zanis |
|
|
|
|
IACOJ
Major
Joined: Jan 15, 2003
Posts: 1269
Location: USA
|
| Posted:
Sun Nov 16, 2003 5:50 pm |
|
Zanis,
Anyone using a version LESS then 2.0.6 needs to upgrade to 2.0.6. That is how you fix the vulnerability.
NC bundle is NukeCops Beta Bundle, Which is php-nuke done NukeCops style. We use the bundle on this site.
If you go back and read the news post and the subsequent comments with it, I think it has been explained quite sufficiently. However, if you have a specific question I would be happy to answer it.
It is really simple. If you aren't using 2.0.6, your site is at risk. If you are using the Bundle you need to install the whole patch. If you are using 2.0.6, unless you installed since the article was posted, you need to replace includes/funtions.php ONLY.
I don't know how else I can explain it more clearly then that.
EDIT: The fix you installed is for a completely seperate vulnerability. We don't re-issue patches for the same vulnerability. In this case a file which was already released needed to be updated, so the original release was also updated, so future users of that patch would be covered. |
|
|
|
|
zanis
Lieutenant
Joined: Aug 21, 2003
Posts: 213
|
| Posted:
Sun Nov 16, 2003 6:01 pm |
|
Hi,
Thanks for the reply. Just to confirm:
IF you are using phpnuke 6.7 with the forum version 2.0.4 that comes with the 6.5 version AND you downloaded the nuke code files from phpnuke.org THEN you need to upgrade to say phpnuke 6.9 that comes with the forum version 2.0.5 from phpnuke.org.
THEN once you have done that you need to apply the entire patch mentioned above since the forum is not from Nuke Cops but in fact from phpnuke.org since I am not using the Bundle BUT I am not using any new files??
Is this correct ? Sorry if I sound stupid but I did not know that Nukecops had their own version of PHPNuke called the Bundle. Sorry for not knowing that.
Question-> Does this mean that any fixes that I download from Nukecops can still be applied to my version of PHPNuke which is downloaded from phpnuke.org. |
|
|
|
|
|
|
