Hi All

I found this in my email, wanted Ryan to know.

And is there a hole in OR Security FROM the boys in .br
////////
200.206.164.44 -- March 10, 2004, 9:44:00 pm -- SELECT default_UserDB.emailAddress FROM default_listingsDB, default_UserDB WHERE ((default_listingsDB.ID = http://www.wsar.hpg.ig.com.br/dcphp3.gif?) AND (default_UserDB.ID = default_listingsDB.user
////////
I know its a Nuke problem
http://nukecops.com/postp89143.html

But it looks like they are also trying to do it with OR

Any way can ryan what can we do to stop them.

Al

Where is teh security hole? THey will jsut get a page with a ERROR message... The database connection fails becuase the SQL statement is wrong....

You said this is a phpnuke bug, if you have some info on it and how it work it would be appreciated. This was brought up once before and myself and the other developers didnt feel there was any hole...

Where is teh security hole? THey will jsut get a page with a ERROR message... The database connection fails becuase the SQL statement is wrong....

You said this is a phpnuke bug, if you have some info on it and how it work it would be appreciated. This was brought up once before and myself and the other developers didnt feel there was any hole...


Agreed, it would be hard (impossible) to exploit a site by adding offsite content via a SELECT statement. The worst anyone could probably do here is a denial of service, and that can happen with anybody's code.

However, if someone outside managed to hijack one of the functions that used an INSERT or UPDATE statement, they could potentially insert outside content. Since all functions in OR that do INSERT or UPDATE are called from pages that are protected via user login to the /admin area, it is unlikely that anyone would be able to "stumble" across an exploit there.

Open source has always also meant "Open hacking" but we are more likely to have our sites exploited via security holes in our webhost's configuration, or our own carelessness.

Not to say it CAN'T be done! Just very unlikely.

is that OR currently uses/requires register_globals set to ON, and, anyone can easily see what functions are called, and with what parameters.
Open source also equals open expoiltation.
At the very least, don't use the default table prefix..

is that OR currently uses/requires register_globals set to ON, and, anyone can easily see what functions are called, and with what parameters.
Open source also equals open expoiltation.
At the very least, don't use the default table prefix..

they can see the functions and parameters if they view the source code yes.. but i dont for see many people going over the code time and time again. but thats just me ;)

also open source does not always equal open expoitation in a properly coded application. If the application is (more) secure. The reason I say (more) is because there are outside factors such as the OS being compromised that could make the security of an app worthless.

also here is a little list of security precausions one could take.

1) MySQL has its own user for open-realty
2) The mysql user has limited priveliges.
3) chown most (not directories that need to be written to) files to a new user of the system specifically for open-realty (now if a low level account on your system was to get compromised open-realty would not be affected)
4) make sure that the permissions set on your files are somewhat secure from random people editing them.
5) examine all mods before there use in a production environment
6) do manual security checks and security reviews of the system and the script to check for vunrubilities

these are just the startof the list. you could go on and on from here.

Hi All

I found this in my email, wanted Ryan to know.

And is there a hole in OR Security FROM the boys in .br
////////
200.206.164.44 -- March 10, 2004, 9:44:00 pm -- SELECT default_UserDB.emailAddress FROM default_listingsDB, default_UserDB WHERE ((default_listingsDB.ID = http://www.wsar.hpg.ig.com.br/dcphp3.gif?) AND (default_UserDB.ID = default_listingsDB.user
////////
I know its a Nuke problem
http://nukecops.com/postp89143.html
But it looks like they are also trying to do it with OR
Any way can ryan what can we do to stop them.
Al

Hi Greengiant

Looking at the code and reading some of the nuke post it seems that
they are tying to do something with the host server. I do not know which file they are trying to do it with, Sorry I am not a big on tec stuff.

regards
Al