lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 7 May 2007 18:53:22 -0000
From: technocrat@...e-evolution.com
To: bugtraq@...urityfocus.com
Subject: Re: NukeSentinel Bypass SQL Injection & Nuke Evolution <= 2.0.3
 SQL Injections

Perhaps you did not report this to me first (or at all) because if you had I would have told you how these do not work and how you were wrong.  Which I guess would mean that you could not post this.  It is the only explanation I can come up with.

There is no excuse for not contacting an author before posting one of these.  I am totally accessible though numerous channels of contact on the Evolution site.  Please contact me first next time.

Now to point out the mistakes you made in this post.

With the exception of News/read_article.php all of the lines have been fixed or removed since of v2.0.0 Final.  That said <= v2.0.0 Final is no longer available from us and we have told everyone to upgrade to it since late last year.  It (<= v2.0.0) was completely depreciated on Feb 28th of this year.  Even so the security features protects the older site from having any of these work.  Hence why I will not fix any of these but the read_article.

But in effort to be fair (even though you were not) I will go over each point you have made.

Bug 1 (the sentinel bypass) will not work, and has not worked in any version of Evo.  If you look at the st_clean_string function in that file you will see "%2f" gets changed to "%20" in any lines before it is checked for UNION or CLIKE.  

Testing your example in all versions of Evo resulted in a block from sentinel and no data getting passed back.  Even the live headers do not show a valid hack.

If you were to disable Sentinel, it still doesn't work.  If you look in the db layer you will see each query gets checked for a UNION before being executed.  If a UNION is found it is broken up.  So again your exploit does not work.

If you disable both sentinel and the db layer security, only then will any of the examples you gave will work.  In order to do this you have to manually remove the sentinel include and the union checking function in the db layer.

Your_Account/index.php - Has been fixed since v2.0.0 RC2 (which is also deprecated) by:
$username = Fix_Quotes($_REQUEST['username']);

News/read_article.php - Your only semi valid point and will be fixed in the next release.  Though as stated before is not exploitable unless both layers of security have been manually removed.

Donate/index.php - This module was completely removed in v2.0.0 RC1 (which is also deprecated).

Please feel free to contact me if you feel that I am wrong or have any other information.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ