 |
|
 |
 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| |
|
|
|
|
|
|
User Info |
|
 Membership:
 Latest: jimysakura
 New Today: 0
 New Yesterday: 3
 Overall: 8201
 People Online:
 Visitors: 246
 Members: 1
 Total: 247
 Online Now:
01: risker - Forums
|
|
|
|
|
|
milw0rm |
|
|
|
PacketStorm News |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
SA#018 Fix? |
|
 Posted: Fri Jun 25, 2004 2:23 am |
 |
|
| sarah |
| Regular user |
 |
| |
| Joined: Jun 25, 2004 |
| Posts: 5 |
|
|
|
 |
|
 |
|
Hello,
I run nuke 7.2 and am having issues with someone who keeps creating a God account on our site and deleting my posts.
My issues is SA#018 with teh SQL admin injection..
| Code: | | admin.php?op=AddAuthor&add_aid=waraxe2&add_name=God&add_pwd=coolpass&add_email=foo@bar.com&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox |
Is there anyway I can patch this. I checked through your site but didn't find anything for 7.2. Or should I upgrade to 7.3?
Thanks so much, your website is a GREAT resource!!!!
Sarah |
|
|
|
|
|
|
|
|
| Posted: Fri Jun 25, 2004 9:17 am |
|
|
| waraxe |
| Site admin |
 |
| |
| Joined: May 11, 2004 |
| Posts: 2399 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
#18 is related to sql injection through base64 encoded admin parameters.
And i myself are using patch like this.
First, open mainfile.php and find this piece of code:
| Code: |
if (!ini_get("register_globals")) {
import_request_variables('GPC');
}
|
Add filtering code, so result will be as:
| Code: |
if (!ini_get("register_globals")) {
import_request_variables('GPC');
}
//############################################################
//-- Base64 sanitize by Waraxe -------------------------------
if(isset($admin))
{
$admin = base64_decode($admin);
$admin = addslashes($admin);
$admin = base64_encode($admin);
}
if(isset($user))
{
$user = base64_decode($user);
$user = addslashes($user);
$user = base64_encode($user);
}
//############################################################
|
After this code addition all the base64-based sql injection exploits will stop working. |
|
|
|
|
|
|
|
|
| Posted: Fri Jun 25, 2004 12:50 pm |
|
|
| sarah |
| Regular user |
|
| |
| Joined: Jun 25, 2004 |
| Posts: 5 |
|
|
|
|
|
|
|
Hey it worked!! Thank you SOOO MUCH! I'm going to donate some $$ when I get paid next week.
So what else should I worry about patching on 7.2? Any other exploits in any other module? |
|
|
|
|
| Posted: Fri Jun 25, 2004 2:07 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2399 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Thanks for donation!
About phpnuke 7.2...
Do you use out-of-the-box version directly from phpnuke.org?
Then it is filled with various security holes. First thing you must do, is to install all the patches from nukecops or nukefixes. Then, install some
protector system - for example Sentinel. And finally - visit my website and forum to find out newest patching tutorials 
If you have any specific questions, go ahead, i will try to help. |
|
|
|
|
| Posted: Mon Jun 28, 2004 12:35 pm |
|
|
| sarah |
| Regular user |
|
| |
| Joined: Jun 25, 2004 |
| Posts: 5 |
|
|
|
|
|
|
|
yes, using out of the box 7.2. i cant find any specific patches from nuke cops but i'm assuming there are specific issues in which you're referring to..
so any girlfriend? |
|
|
|
|
www.waraxe.us Forum Index -> How to fix
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|
