Re: DNS Security

Wow - the merge topic function did it's job! I've never tried it before

Moved the last few posts from another thread to keep things orderly.

Topic


Re: SQL Injections - very active right now

  • 2008/8/16 8:39:54
  • Tom

It's probably unrelated but thought I'd mention it. Around the same time you noticed these attempts started I've also noticed an increase in spam on 3 E-mail addresses and all three addresses are never published anywhere. They always proclaim to be MSN, CNN and MSNBC

One of them is only used for the form on BassmanThemes.

Like I said probably not related but seemed to come happen and a lot around the same time.

Topic


Re: SQL Injections - very active right now

Hello !!

Yes aparently it uses a SQL server issue in unpatched servers.

i have w.js script file and i investigate it, and found a iframe injection, thi file call other file located in a compromised server,and show a html page with 4 iframes , and try to donload & execute a virus trojan from four diferent locations in the iframes...

i still continue investigate it , if any one like to aport any data to me please let me know at Lostmon@gmail.com

Thnx

--
La curiosidad es lo que hace mover la mente...


Re: DNS Security

reported here before :)

http://community.impresscms.org/modules/newbb/viewtopic.php?topic_id=2155&forum=13

but thanks for the heads up nonetheless :) (i'd rather have 10 people report it than none at all, although i'd go mad if we ended up with 10 or 20 people all reporting the same thing in seperate topics lol)

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


DNS Security

I just read this excellent post http://community.impresscms.org/modules/newbb/viewtopic.php?topic_id=2220&forum=13&post_id=21120#forumpost21120 by McDonald regarding SQL Injections and it prompted me to write this follow on.

For those who may not be aware, probably the largest coordinated upgrade effort on the Internet took place earlier on this year regarding a weakness in the DNS system that involves resolvers and for which the details to exploit the weakness has now been made common knowledge. There are known exploits taking advantange of this weakness out there in the wild now.

Information on this can be found here:
http://www.us-cert.gov/cas/techalerts/TA08-190B.html

A tool for checking your own client DNS servers is found here:
http://www.doxpara.com/

A tool for checking the DNS of domain names you may control is here:
http://recursive.iana.org/

So, if you (or your ISP) have not yet upgraded DNS servers under your control yet, you should do so as soon as possible.

-Commerce



SQL Injections - very active right now

Since the start of this month I've noted a lot of SQL injection attempts in the logs of my site.
Doing a quick search with Google learned I'm not the only one.

For some more info see here:
- http://isc.sans.org/diary.html?storyid=4844
- http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html
- http://www.wetwired.org/2008/08/06/technical-post-about-new-sql-injection/
- http://www.lockergnome.com/it/2008/08/13/sql-injection-attacks-in-the-wild-why-theyre-working-and-what-to-do/


I've noted that these injection attempts happen mostly during the weekends, but it can happen at any time of course.
So far none of the attacks was successfull.


Keep an eye on your logs, make backups more frequently, make sure you got latest version of modules installed and that you have Protector installed!



Re: RMSOFT Download plus fixing XSS issues

yep.. ur right trabis

if ($key==''){$key= htmlspecialchars($_POST['key']); }


is correct way.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: RMSOFT Download plus fixing XSS issues

No sure this is correct:

if ($key==''){ htmlspecialchars($key=$_POST['key']); }


Maybe
if ($key==''){$key= htmlspecialchars($_POST['key']); }



Re: RMSOFT Download plus fixing XSS issues

Thank you for very much for all the help!!!



Re: RMSOFT Download plus fixing XSS issues

#############################
fix $id variable in down.php
#############################

open modules/down.php and arround line 38 found this code line:

$id = $_GET['id'];


it´s a numerical variable value always and them...
yo can change by this other to sanitizing :

$id = intval($_GET['id']);



Continue working in !!! :P

--
La curiosidad es lo que hace mover la mente...


RMSOFT Download plus fixing XSS issues

RMSOFT XSS Vulnerability
report: http://lostmon.blogspot.com/2008/08/rmsoft-downloads-plus-two-scripts-two.html

###################
FIX $key variable
###################

open modules/rmdp/include/rmdp_functions.php

arround line 314 found function rmdp_make_searchnav()

found this code:
#####################

function rmdp_make_searchnav(){ global $xoopsDB, $xoopsTpl, $xoopsModule; $xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name'))); $xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON); $key = isset($_POST['key']) ? $_POST['key'] : (isset($_GET['key']) ?($_GET['key'] : ''); $xoopsTpl->assign('key', $key);


the variable $key is vulnerable in GET & POST.
Now add htmlspecialchars() function:
change for this other:

function rmdp_make_searchnav(){ global $xoopsDB, $xoopsTpl, $xoopsModule; $xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name'))); $xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON); $key = isset($_POST['key']) ? htmlspecialchars($_POST['key']) : (isset($_GET['key']) ? htmlspecialchars($_GET['key']) : ''); $xoopsTpl->assign('key', $key);


now variable is clean in functions, but we need to sanitize again in search.php...

open modules/rmdp/search.php

arround line 37 we found two request to $key variable:
$rmdp_location = 'search'; include('header.php'); $key = $_GET['key']; if ($key==''){ $key=$_POST['key']; } $cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);


need a cleaning :S use again htmlspecialchars() y GET & POST
change by this other:

$rmdp_location = 'search'; include('header.php'); $key = htmlspecialchars($_GET['key']); if ($key==''){ htmlspecialchars($key=$_POST['key']); } $cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);


$cat aparently is sanitized , but if is a numeric value allways i ithink in use intval() like :

$cat = isset($_GET['cat']) ? intval($_GET['cat']) : (isset($_POST['cat']) ? intval($_POST['cat']) : 0);



Now i go to fix down.php file !!!

--
La curiosidad es lo que hace mover la mente...


Re: Yogurt Social Network multiple scripts uid variable XSS

Quote:


fans.php is also afected too.

exmple :

http://localhost/impresscms/modules/y ... /fans.php?uid=1">[XSS-CODE]

i working in RMSOFT download plus for fix now...



thanks again, yeah i've noticed some in other files too, at the moment i'm scanning through on a file per file basis, just searching for integer values that need intval() at moment. then will move onto sanitizing other strings etc. also cleaning some code up as i go along. making a bit tidier.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Yogurt Social Network multiple scripts uid variable XSS

Quote:


My plan: The module remains there here. Code improvements are collected. And there added. @Alfred locks for a better Code too. I think this sounds good. But above all it will please the users.



I have no problems with that, as long as the author is aware of what's happening

we don't want people going telling tales to the author that we have taken his module and developing it elsewhere, so with his permission now we can continue to fix the issues

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Yogurt Social Network multiple scripts uid variable XSS

Yesterday I have had the opportunity to speak with the author. Now Marcello has for the moment no time and also in future no time around the project further. He has furnished to me an administration access on Sourceforge. The data with Sourceforge in the CVS are last and most topical from Marcello.
We can work here quite unabashed and improve the code. Marcello wishes even that somebody continues his work.

My plan: The module remains there here. Code improvements are collected. And there added. @Alfred locks for a better Code too. I think this sounds good. But above all it will please the users.



Re: Yogurt Social Network multiple scripts uid variable XSS

Quote:


Sounds good to me ... other possibility might be, I add my improvement for easy renaming in the module?

then users can rename it to whatever they want ...



sorry but let's start as we mean to finish.

this is an RC release, meaning we add NO features whatsoever, we only bugfix!! & cleanup.

I have no intentions of taking this module on myself or moving it away from the author, unless the author has fully decided to abandon all development of the module himself. The only reason I wanted it in SVN here, was so we could help fix the vulnerabilities more quickly, and then pass those fixes back to the yogurt author/developer.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Yogurt Social Network multiple scripts uid variable XSS

fans.php is also afected too.

exmple :

http://localhost/impresscms/modules/yogurt/fans.php?uid=1">[XSS-CODE]

i working in RMSOFT download plus for fix now...

--
La curiosidad es lo que hace mover la mente...


Re: Yogurt Social Network multiple scripts uid variable XSS

Quote:


thomas wrote:
cbb4 is still a beta afaik. Xforum i have not installed yet but will try right now and start a new topic.



Yes agree with Thomas.

Return a topic Yogurt and security changes...

Giba


Re: Yogurt Social Network multiple scripts uid variable XSS

cbb4 is still a beta afaik. Xforum i have not installed yet but will try right now and start a new topic.



Re: Yogurt Social Network multiple scripts uid variable XSS

Quote:


stranger wrote:
unfortunately I still have not worked with xforum .. how is it? is it better that newbb ? and what do you think about newbb 4?



Yes, very similar, but with interesting news. I think look this module in future.

Giba


Re: Yogurt Social Network multiple scripts uid variable XSS

Quote:


stranger wrote:
Why removing it? By fixing I meant sorting this out

I'm not the person in charge for this, I think it's better if you talk with sato and Vaughan .... I was just giving a suggestion in my earlier post ... Vaughan is working on that area I think.



I thought you were talking on fixing the license. :lmao:




 Top