Author |
Topic |
CaNgo
Starting Member
15 Posts |
Posted - 16 August 2002 : 10:17:45
|
I use HuwR's version and applied all the security patches but it just has been hacked. Hacker used pop_mail.asp, put SQL Update command (I use SQL Server 2000 for database) and changed the email in the Admin account. Then they simply request a password reminder. They also attacked links.asp, default.asp… After that I fixed the holes and wrote this code. It’s based on “I’ve been hacked MOD” written by Foo. I would put this at the beginning of 2 files: inc_top.asp and inc_top_short.asp.
Remember, this is not a security patch. You have to patch all your files.
<% If Request.ServerVariables("QUERY_STRING") <> "" then strChkQuery = UCase(Server.URLEncode(Request.ServerVariables("QUERY_STRING"))) If Instr(strChkQuery,"FORUM%5FMEMBERS") OR Instr(strChkQuery,"UNION") OR Instr(strChkQuery,"SELECT") Then strTime = Now() strRecipientsName = "Admin" strIP = Request.ServerVariables("REMOTE_ADDR") strRecipients = "YourEmailAddress" strFrom = "Hack Patrol" strFromName = "Hack Patrol" strFromAddress = "YourEmailAddress" strSubject = "Got One" strMessage = strIP & " - " & strTime & vbcrlf strMessage = strMessage & Request.ServerVariables("URL") & vbcrlf strMessage = strMessage & Request.ServerVariables("QUERY_STRING") %> <!--#INCLUDE FILE="inc_mail.asp" --> <%Response.Redirect("http://www.bored.com") Response.End End If End If %>
|
Edited by - CaNgo on 16 August 2002 17:05:07 |
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 16 August 2002 : 11:10:30
|
Good idea.
You will need to change FORUM_MEMBERS though to FORUM%5FMEMBERS else it won't pick that one up - this is becuase of the URLEncode your doing on the string. I'd add M%5FPASSWORD to that check as well as another backstop. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
CaNgo
Starting Member
15 Posts |
Posted - 16 August 2002 : 11:17:03
|
Thanks Gremlin, I corrected that line. |
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 16 August 2002 : 11:28:00
|
Your welcome.
Also to note is that by placing that code either of the inc_top files you may end up with some pages having 2 copies of inc_mail.asp being included. At a quick glance I don't think this would cause any problems as theres no DIM, FUNCTIONS or SUBs in there but just something to be weary of. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
CaNgo
Starting Member
15 Posts |
Posted - 16 August 2002 : 11:44:29
|
I'm not sure about this. If the querystring has those nasty words then it would include the inc_mail.asp to send mail, then it redirect hacker to other website. It's ended with Response.End. If the condition has not been met, it wouldn't include the inc_mail.asp. Is it right?
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 16 August 2002 : 11:53:49
|
Adding the red part in line 47 is enough to fix it:
strSql = "SELECT M.M_EMAIL, M.M_NAME FROM " & strMemberTablePrefix & "MEMBERS M" strSql = strSql & " WHERE M.MEMBER_ID = " & CLng(Request.QueryString("ID")) |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
CaNgo
Starting Member
15 Posts |
Posted - 16 August 2002 : 12:05:14
|
Yes, I fixed that in my pop_mail.asp. As I said in my post, the code is not a security fixed. It's just another way to protect the other pages which we don't know if they have security holes or not. With all the MODs installed, I have no ideas which page is safe anymore! |
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 16 August 2002 : 12:09:59
|
All Include statements are parsed by IIS before any ASP is so I believe it would infact include both. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
CaNgo
Starting Member
15 Posts |
Posted - 16 August 2002 : 12:49:51
|
If so, we can take out the send mail part:
<% If Request.ServerVariables("QUERY_STRING") <> "" then strChkQuery = UCase(Server.URLEncode(Request.ServerVariables("QUERY_STRING"))) If Instr(strChkQuery,"FORUM%5FMEMBERS") OR Instr(strChkQuery,"UNION") OR Instr(strChkQuery,"SELECT") Then Response.Redirect("http://www.bored.com") End If %>
|
|
|
Etymon
Advanced Member
United States
2385 Posts |
Posted - 16 August 2002 : 16:06:42
|
Thanks a lot for the code, CaNgo!
Seeing topics like this one gets me curious.
Because of issues exactly like this, it would be awesome if some Snitz members created a "MOD Builder's Guild" where the leaders of the guild would scrutinize the security issues of the MODs "before" the MOD's were publicized here at the forums. The MODs could be supported with a group effort rather than just a few individuals.
I think it would really help bring the Snitz community together. It would also be fun to see great minds working on cool projects.
Just my thoughts though.
Thanks again for the code, CaNgo!
Best regards,
Etymon
|
Edited by - Etymon on 16 August 2002 16:08:41 |
|
|
OneWayMule
Dev. Team Member & Support Moderator
Austria
4969 Posts |
|
Kent
Junior Member
United States
193 Posts |
Posted - 16 August 2002 : 18:56:48
|
I run Huwr's portal on an Access DB. Is it vulnerable to the same hack? |
|
|
CaNgo
Starting Member
15 Posts |
Posted - 16 August 2002 : 19:11:54
|
I think you can only using SQL injection attack on SQL server, MySQL... not on Access. Someone told me you can only use insertion injection with Access.
Maybe they can insert a new user with admin access? It's possible. |
|
|
Longnt06k
Starting Member
Vietnam
29 Posts |
Posted - 20 August 2002 : 05:09:34
|
Hey , some hacker used URLencode to pass , How to fix it ???. That scripts was disabled when Hacker used urlencode !!! |
|
|
rick7165
Senior Member
USA
1094 Posts |
Posted - 20 August 2002 : 05:25:05
|
Don't mislead everyone with this... Its NOT Huwr's Portal that's vulnerable to being hacked... It's the Snitz Base Code no matter if its on Huwr's Modded Forum or just a standard Snitz Forum. You need to apply all patches to anything under 3.4
quote: Originally posted by Kent
I run Huwr's portal on an Access DB. Is it vulnerable to the same hack?
|
Test Site: EastPasco Huw's Code 3.3.10 SQL 2000 Huwr's Modified Code Email |
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 20 August 2002 : 06:01:34
|
quote: Originally posted by Longnt06k
Hey , some hacker used URLencode to pass , How to fix it ???. That scripts was disabled when Hacker used urlencode !!!
How much clearer can we make it for you? You obviously have not applied the fixes that we have posted. If you continue to post all over this forum with these types of posts, I will have no choice but to lock your account. It seems all you want to do is post nonsense posts and try to make everyone think that there is this grand bug that hasn't been fixed.
Read this forum: http://forum.snitz.com/forum/forum.asp?FORUM_ID=118
and make sure that all of the fixes have been made to your forum. That means you have to actually edit the files in question with a text/html editor and then save the file and upload it to your site.
|
|
|
Topic |
|