 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 Posted: Mon Apr 18, 2005 11:30 am |
 |
|
| KingOfSka |
| Advanced user |
 |
|
| Joined: Mar 13, 2005 |
| Posts: 61 |
|
|
|
 |
|
 |
|
it would be more "ethical" advising developers before releasing exploit, but i don't think many people will upgrade.
i've got an idea, but i need to test 
i was thinking about sending a part of the string coded in base 64 and the rest unencoded, so the filter shouldn't work..
also i heard about JOIN queryies but i need to study more sql |
|
|
|
|
|
 |
|
 |
| Posted: Mon Apr 18, 2005 12:30 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
There is one thing, i wanted to say out: phpnuke developers and/or nuke fix developers are not very ethical people 
Let' see - base64 coding/decoding has been always big security hole to all the phpnuke engine. Many cool sql injections and xss cases are related to base64. So, when i started to work with phpnuke (~2003 december), i wrote some sanityze code to mainfile.php for finally get ride with all the base64 bugs. It was 100% private code and it was not spreading in Internet.
Here it is:
| Code: |
#############################################################
#--------------- Base64 sanitize by Waraxe -----------------
if(isset($admin))
{
$admin = base64_decode($admin);
$admin = addslashes($admin);
$admin = base64_encode($admin);
}
if(isset($user))
{
$user = base64_decode($user);
$user = addslashes($user);
$user = base64_encode($user);
}
#############################################################
|
In some moment, somewhere in year 2004 i posted that code fragment to some forum (don't remember details) and it was spreading over the net.
Let's make google search:
http://www.google.com/search?hl=en&lr=&q=%22Base64+sanitize+by+Waraxe%22
and we can see, that there is more than 160 results.
And for my surprise, when i looked at phpnuke source code one day:
| Code: |
if(isset($admin))
{
$admin = base64_decode($admin);
$admin = addslashes($admin);
$admin = base64_encode($admin);
}
if(isset($user))
{
$user = base64_decode($user);
$user = addslashes($user);
$user = base64_encode($user);
}
|
Cool, is'nt? 100% copy of my code, but without any refference to me or without any credit. Let's look at first lines in "mainfile.php":
| Code: |
/************************************************************************/
/* Additional security checking code 2003 by chatserv */
/* http://www.nukefixes.com -- http://www.nukeresources.com */
/************************************************************************/
|
Nice, eh? They just used my code snippet without any mention of author??
Ethical?? Hell, no 
By the way, download some new phpnuke package, like 7.5 or 7.6 and try to find strings "waraxe" or "janek" from ALL OF THE PHPNUKE SOURCE. Heh, guess what?????????? Not a word about me. Think for one f***ing minute, how many f***ing holes i have discovered in nuke?
Where are credits in changelog? Eh??
F***ck thi s**it, i am little bit mad right now  
So, fu*k ethics!!! I will release advisory as soon as possible |
|
|
|
|
|
|
|
|
| Posted: Mon Apr 18, 2005 12:38 pm |
|
|
| KingOfSka |
| Advanced user |
|
|
| Joined: Mar 13, 2005 |
| Posts: 61 |
|
|
|
|
|
|
|
revenge is a best dish when served cold lol
or something like this lol
i hate people "stealing" credits, it happened me when i coded many very bad program for the DC p2p sharing network...
by the way, were my ideas totally useless or there was something right ?  |
|
|
|
|
|
|
|
|
| Posted: Mon Apr 18, 2005 12:54 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Well, let' see:
1. JOIN tricks instead of UNION trics - this is not useful most of the time.
I am telling this by my own experience - i know theory and i have done experiements with JOIN, but there are very restrictive mitigating factors in SQL query syntax and in real life i don't remember any case, when JOIN trick worked ...
2. base64 coding mixed with other methods - this is not working idea, i think, because for base64 stuff to work, there must be code fragment, which will decode first. I can't understand, how can you somehow "put together" different sql query parts, coming from various sources...
Maybe i just talking bs right now, i don't know...
Anyway, feel free to experiment - i have discovered many cool bugs just by experimenting, without detailed planning  |
|
|
|
|
|
|
|
|
| Posted: Tue Apr 19, 2005 1:17 pm |
|
|
| sp3x |
| Valuable expert |
 |
|
| Joined: Feb 15, 2005 |
| Posts: 10 |
|
|
|
|
|
|
|
| waraxe wrote: | There is one thing, i wanted to say out: phpnuke developers and/or nuke fix developers are not very ethical people
Let' see - base64 coding/decoding has been always big security hole to all the phpnuke engine. Many cool sql injections and xss cases are related to base64. So, when i started to work with phpnuke (~2003 december), i wrote some sanityze code to mainfile.php for finally get ride with all the base64 bugs. It was 100% private code and it was not spreading in Internet.
Here it is:
| Code: |
#############################################################
#--------------- Base64 sanitize by Waraxe -----------------
if(isset($admin))
{
$admin = base64_decode($admin);
$admin = addslashes($admin);
$admin = base64_encode($admin);
}
if(isset($user))
{
$user = base64_decode($user);
$user = addslashes($user);
$user = base64_encode($user);
}
#############################################################
|
In some moment, somewhere in year 2004 i posted that code fragment to some forum (don't remember details) and it was spreading over the net.
Let's make google search:
http://www.google.com/search?hl=en&lr=&q=%22Base64+sanitize+by+Waraxe%22
and we can see, that there is more than 160 results.
And for my surprise, when i looked at phpnuke source code one day:
| Code: |
if(isset($admin))
{
$admin = base64_decode($admin);
$admin = addslashes($admin);
$admin = base64_encode($admin);
}
if(isset($user))
{
$user = base64_decode($user);
$user = addslashes($user);
$user = base64_encode($user);
}
|
Cool, is'nt? 100% copy of my code, but without any refference to me or without any credit. Let's look at first lines in "mainfile.php":
| Code: |
/************************************************************************/
/* Additional security checking code 2003 by chatserv */
/* http://www.nukefixes.com -- http://www.nukeresources.com */
/************************************************************************/
|
Nice, eh? They just used my code snippet without any mention of author??
Ethical?? Hell, no
By the way, download some new phpnuke package, like 7.5 or 7.6 and try to find strings "waraxe" or "janek" from ALL OF THE PHPNUKE SOURCE. Heh, guess what?????????? Not a word about me. Think for one f***ing minute, how many f***ing holes i have discovered in nuke?
Where are credits in changelog? Eh??
F***ck thi s**it, i am little bit mad right now
So, fu*k ethics!!! I will release advisory as soon as possible |
Yes this is bad....
the same was with me... i also gave some adv about holes in phpnuke....
First i send it to nukefixes.com with patchs and said then to check the patchs... but i get no answer about my patchs ... so i was waiting and waiting.... and no response...
Then i public the adv and patchs to phpnuke....
On forum nukefixes started to check my patchs...
and everything was good but no credits in code that patchs was from me.... sad but true...
The phpnuke security sucks .... they do not care about security...
You can send them a adv but they only answer "ok fine thanks for info" or say nothing...
When I and my friend send advisories about holes in Postnuke, the answer was quick. Postnuke team really care about security... they working with us to patch the postnuke and still work and still we have contact... by the way the postnuke is better written then phpnuke.... |
|
|
|
|
|
|
|
|
| Posted: Tue Apr 19, 2005 1:45 pm |
|
|
| murdock |
| Advanced user |
 |
|
| Joined: Mar 16, 2005 |
| Posts: 54 |
|
|
|
|
|
|
|
Years ago I got the same problem but worst!
I made messenger tools in VisualBasic (when messenger version was 4.x).
Simple tools but very usefull: MassMessenger, MSN Fake Apps, MSN IP Stealer, etc...But some lamer used the resource editor to change my name (I was "MaDMaX" then) in all the images and strings to put his one, and distributed the tools over the net...The tools got very popular...but whith this idiot as the author... 
The same occured with the first hacking guide I wrote in 1999. It was the "NetBIOS Hacking Guide Step-by-step by MaDMaX". I published in my web page and....the guide has been copyed in many lamer sites but without my sign!!! (One day I started to find with google the guide and I found that only one person mentioned my name in the guide, and about 6 without author, and about 8 with the author changed!!!).
I know that my case is diferent because lamers are not ethical for definition, but phpnuke developers MUST BE ethical, so If they're not, REVENGE! |
|
Last edited by murdock on Tue Apr 19, 2005 1:47 pm; edited 1 time in total |
|
|
|
|
|
|
|
| Posted: Tue Apr 19, 2005 1:46 pm |
|
|
| KingOfSka |
| Advanced user |
|
|
| Joined: Mar 13, 2005 |
| Posts: 61 |
|
|
|
|
|
|
|
| in fact for phpNuke there are tons of public exploit, for postNuke there are less |
|
|
|
|
| Posted: Tue Apr 19, 2005 4:58 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Yeah, i have good experience with many developers: postnuke, coppermine, phorum, phpbb. And most ignorant ones are phpnuke and xmbforum. Just my opinion
By the way, i will release advisory #42 tomorrow, and it's about "multiple vulnerabilities" in Sentinel  |
|
|
|
|
| Posted: Tue Apr 19, 2005 6:41 pm |
|
|
| murdock |
| Advanced user |
|
|
| Joined: Mar 16, 2005 |
| Posts: 54 |
|
|
|
|
|
|
|
| "multiple vulnerabilities in Sentinel" <- YUUUUUJUUUUUUUUU!!!!!!!! |
|
|
|
|
| Posted: Wed Apr 20, 2005 1:58 pm |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
not only that ,
i use to do some pen test / black box test against some website or server
yes, i do it illegaly, but i dont do any harm.. just testing
when ive allready done , then i give them (Admin) a clue or something "Open" on their machine , what did they said to me ?
dont try to teach me, go away, you are not smarter enough ..
and many ..
See ?
few days later , their server/ was defaced, many files deleted n bla bla bla
so ??
whats wrong ? |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
| Posted: Wed Apr 20, 2005 2:05 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| y3dips wrote: | not only that ,
i use to do some pen test / black box test against some website or server
yes, i do it illegaly, but i dont do any harm.. just testing
when ive allready done , then i give them (Admin) a clue or something "Open" on their machine , what did they said to me ?
dont try to teach me, go away, you are not smarter enough ..
and many ..
See ?
few days later , their server/ was defaced, many files deleted n bla bla bla
so ??
whats wrong ? |
Yes, my experience tells me, that ~25% admins/webmasters respond friendly and patch the holes, ~25% respond unfirendly AND patch the holes, or are not responding BUT PATCHING anyway. And most interesting are those 50% - they just are not responding and are not patching too
Guess what - about 6 months ago i spotted some potential flaws in Estonian bank website, i sent email and got zippo answers...
Now, half year later, those holes exists and are not yet patched 
Nonsense.... |
|
|
|
|
|
|
|
|
| Posted: Wed Apr 20, 2005 2:19 pm |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| waraxe wrote: |
Yes, my experience tells me, that ~25% admins/webmasters respond friendly and patch the holes, ~25% respond unfirendly AND patch the holes, or are not responding BUT PATCHING anyway. And most interesting are those 50% - they just are not responding and are not patching too
Guess what - about 6 months ago i spotted some potential flaws in Estonian bank website, i sent email and got zippo answers...
Now, half year later, those holes exists and are not yet patched
Nonsense.... |
sorry i forgot, a few of them would like to say thx n ask how to patch (Hell, yeah ? )
btw, about your advisories.
like you said in other topic
sometimes we have to makes them feel it , after that just hoping them realize it
or just watching the machine |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
| Posted: Wed Apr 20, 2005 4:47 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Sentinel related advisory #043 will be out tomorrow, because i was today busy with #042 - Vulns in Coppermine |
|
|
|
|
| Posted: Wed Apr 20, 2005 7:03 pm |
|
|
| sp3x |
| Valuable expert |
|
|
| Joined: Feb 15, 2005 |
| Posts: 10 |
|
|
|
|
|
|
|
Yeah some admins are good some bad
Some admins thanks to you and give you avaibility to test host and help him patch and give toy account for free who cost many dollars....
Some admins just call the police that someone try to hack him or hacked his system... then you have problem....
If admin is good in his job he understand the risk of security when is broken.
So ... best admins are who broke security of some servers or some scritps, software thats is a truth |
|
|
|
|
|
|
|
|
| Posted: Thu Apr 21, 2005 9:05 am |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
Yeah those people who find all these holes and dont get the credit. I spose its because they release the exploits aswell that they dont mention it.
Look at heintz he found that big problem with phpBB and they didnt even bother to mention his name or any thing because he released the exploit.
BTW I dont like the phpBB crew whatso ever. |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 2 of 3
Goto page Previous1, 2, 3Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 47
Members: 0
Total: 47
