|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 711 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Bypassing PHP-Nuke Membership Restrictions |
|
 lineman1996 writes "Recently, our site had two members join without permission. This went unnoticed for several hours as all the administrators tried to sort out whether one of us had approved their memberships. When it turned out that they weren’t approved, you will no doubt believe we were a little panicked!
It turns out that by adding a header back to the forums, I exposed a link that had not been on the site ever since the new skin was installed. Even though the link wasn’t there before, anyone could have created an unapproved account before at any time. It’s actually pretty laughable that with all the self-proclaimed hackers who have enjoyed spamming this site in the past and voting against all our articles, not a single one found this security hole.
Rationale
I would like to share with you how this hole worked for a couple reasons. The obvious one is that if you run a PHP-Nuke site like ours, you may be vulnerable as well. The bigger reason is that this is a good example of how a lot of hacking is done and how a little research goes a long way.
The Scenario
Let me explain the situation briefly. We are running a PHP-Nuke site with an embedded PHPBB forum. This version of PHP-Nuke has the embedded board for the benefit of users only needing to create one account. In other words, both systems share the same SQL database. While the PHP-Nuke software has overall control, PHPBB still retains a few of its own security settings. In this case, more than we realized.
The site was set in the PHP-Nuke software so that users could only create accounts after being approved by an administrator. After this, new users would still have to verify their email address to activate their account. To make this even tougher, I had attempted to remove all links to the page that allows accounts to be created.
Researching PHP-Nuke
To look for a security hole, let’s say our would-be hackers looked at another site running the same software as ours. For example, http://nukecops.com. Just by looking on the main page, they would see that the link to the account creation function is http://nukecops.com/modules.php?name=Your_Account&op=new_user. The first thing they might try is appending gate.html?name=Your_Account&op=new_user to our domain name.
This would have gotten them to the page they were looking for, but they still would have to be approved by an administrator before being able to activate their account. This has since changed and would forward them to a different page (just in case I’m giving anyone ideas).
While signing up for accounts like this would have been a minor annoyance (since each would have to be deleted), they would not be activated and therefore they could not have even logged in. That being said, let’s do a little more research.
Let’s say our would-be hackers look at the forums for the Nuke Cops site. There is a link at the top titled “Register”, which links to http://nukecops.com/modules.php?name=Forums&file=profile&mode=register. What is important to note here is that this is a different link that goes to a different page with a different registration function. Had they tried appending gate.html?name=Forums&file=profile&mode=register to our domain, they would have found a different registration page that would have let them register without even verifying their email!
Why was this possible?
As I mentioned above, the PHPBB software is embedded in PHP-Nuke but still retains some control. It turns out that buried deep within the administrative area for PHPBB, there is still a setting to allow members to join without validation. Having no idea that there were separate registration pages in the first place, I left this setting when I installed the site because I was letting PHP-Nuke handle all registrations.
Conclusion
This is a mistake I should not have made but nonetheless did. I’m lucky nobody found this because there are a lot of folks who would have made some administrators lives miserable for hours while deleting spam threads and tracking down security holes! I was fortunate that the members who registered because of this security hole did so in complete innocence.
The reason this shouldn’t have happened is that a good administrator would rationalize security in the opposite direction of the way I did. What I mean is that a smarter administrator than myself would have started with all settings set to the maximum security to begin with and then would have slowly backed down as each setting needed lowered. While I was smart enough to check all the default settings, I neglected my responsibility to test the security more thoroughly.
While this may not seem like “real hacking” to do this sort of thing and more like silly HTML tricks, this is a good example of how a lot of hacking is done. The combination of a default security setting left at the minimum, a file present that allowed that setting to be used, and the file permissions set so that said file could be accessed by anyone is a very common problem. The scariest part is how little research and technical knowledge would have been needed to exploit it.
Admin Note: This is an excellent article and thought provoking. Thank you. I'd say this deserves a 5."
|
|
Posted on Monday, November 10 @ 20:22:19 CET by Zhen-Xjell |
|
|
|
|
| |
|
Average Score: 4.57
Votes: 19
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Bypassing PHP-Nuke Membership Restrictions (Score: 1)
by lineman1996 on Monday, November 10 @ 20:52:10 CET
(User Info | Send a Message) http://lineman.net | | I appreciate Zhen-Xjell adding his kind words in the admin note! If anyone finds this article useful or needs help securing their site from this hole, please contact me. |
| | | | |
Re: Bypassing PHP-Nuke Membership Restrictions (Score: 1)
by chris-au on Monday, November 10 @ 21:04:53 CET
(User Info | Send a Message) http://sengers-au.com | I have to say, I am not an expert.
The CMS by FB was a very good and simple CMS before phpBB became an integrated part!
When phpNuke changed from that, by having a lot of scripts and database changes to accommodate the phpBB, I was thoroughly annoyed and perturbed.
FB tried to get his 'baby' to be used by commercial sites. Do THEY need phpBB? I doubt it.
The annoyance grows out of that.
If one does NOT use phpBB (or does not have a use for it), why do we need all these additions and changes to the core of phpNuke.
It should just have been a module, like Splatt, Invision and or others.
Now all the users with a version of phpNuke that incorporate phpBB, have all the bits and pieces hanging over them.
Sure, maybe they tried make a good job of it, but this article makes my doubts even stronger. |
| | | | |
Re: Bypassing PHP-Nuke Membership Restrictions (Score: 1)
by foxyfemfem on Tuesday, November 11 @ 06:32:28 CET
(User Info | Send a Message) | Hello,
I have used the forum registration since day one of the release of 6.5. A user has to activate their account. The info button in the Your Account section is linked to the forum profile. If a user change their email address (via profile) their account is automatic deactivated until their new email address is verified (a hack I installed from phpbbhacks.com). I also have upon registration the Anti-Robotic Registration (another hack from phpbbhacks.com) which generates LETTERS at random for users to input correctly before their registration submission is accepted. If a person do not input the anti-robotic letters upon registration their account will not be created and if they use the Your_Account&op=new_users section it is a given they must activate their account. Therefore, if a person utilize the Your Account or the Forum registration their account must be verified and all information point to the Forum profile for editing in case a user decide to change their email address their account will become deactivated until their new email address is verified. I removed all links that point to the Your Account profile if someone input that information into their browser they will receive the 404 error message. |
| | | | |
Re: Bypassing PHP-Nuke Membership Restrictions (Score: 1)
by Tank863 on Tuesday, November 11 @ 16:24:29 CET
(User Info | Send a Message) http://tankweb.net | What is the solution for the average "User" who does not know programming as well as the author & Zhen?
I have printed out the instructions on how to "fix" this hole. Now, I do have an above intelligence mindset, and I know programming... but I seem to be lost in how to apply the fix properly.
Any suggestions.. because.. this does exost on my site...
Tank863 |
| | | | |
Re: Bypassing PHP-Nuke Membership Restrictions (Score: 1)
by revspalding on Tuesday, November 11 @ 20:34:54 CET
(User Info | Send a Message) http://www.craigcolorado.us | This IS an excellent article, but it is much more than thought provoking. I would suggest that some serious coding goes into reconciling the situation and 'integrating' phpBB into Nuke a little more thouroughly than it is.
It probably needs to be put to the community, but for my two cents worth, I would prefer to register with the nuke signup page, complete with security code, and then have the confirmation email link send you to the edit your info page in forums. The edit info link in your account homepage should send you to the forums, and also have the register button in the forums send you to the YourAccounts signup page.
The register new accounts pages in forums could be dropped altogether, and all links throughout forums should refer you to the nuke signup page.
The text file that is in downloads doesn't quite carry this far enough, and I think the developers should get on the schtick and modify the CVS files and the bundle. |
| | | | | |
