From PHP Forum the vulnerability of the endoscope security management-vulnerability warning-the black bar safety net

2005-12-20T00:00:00
ID MYHACK58:6220055607
Type myhack58
Reporter 佚名
Modified 2005-12-20T00:00:00

Description

From: ReJeCt‘s Blog

Blue magic Forum is a PHP Forum in the country is widely used. Due to its user registration module in some code defect that can lead to a malicious attacker will be normal users to elevate to administrator. First let's look at an invasion of the examples.

The invasion paradigm Now suppose a malicious user aware of this vulnerability, through the analysis of<http://www.bmforum.com/bmb/ 这个 网站 can be obtained wherein the code, we can look at the bottom of the page of a segment identifier, which in a lot of forums are very similar.> This is to find the victims of the features of the code, take a closer look, we will find the use of this forum to code the site the most should have the“Powered by BMForum Plus!” Such a unique flag. To turn this feature code as a keyword, Baidu, Google and other website search, numerous goals highlighted in our eyes. Tip: the feature code is more accurate, more easy to find the victims of the forum. Just pick a vulnerability in the forum about this vulnerability we will not described in detail its causes, the main drawback is that the filter is not strict, by forgery“|”make the program read the User Rating when the judgment of the administrator. Click the“Register”button, enter the registration page, fill in the email address, Enter test at test dot com|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|,through certification, this just registered a new user becomes the administrator. And this step is so simple, coupled with administrator permissions and Large, the harm can be imagined. Into the“Central Administration”, you can see the Management page. Here, a malicious user can do many things, such as Upload file to construct a WebShell, the Upload File form can be directly by the user to build. Just imagine, if the administrator knows the own website can be someone so tortured, its expression imagine how ugly. In fact, look at the network everywhere rampant in theforum vulnerability, whether it be ASP, JSP or PHP, a similar problem may exist. So, how effective prevention?

Preventive measures 1. Close attention to the official patch Many use ASP or PHP and other language developers have a bad habit with someone else's code after you think all is well. In fact, this is a big risk, because the code is someone else to write the Code of the security problems only people only know, perhaps, when one day in their own Forum, suddenly received a developer sent an emergency message, the US in addition to surprise outside, but also might have a betrayed feeling. Thus, with respect to a security code, can from the following two angles to analyze. In this article The Blue magic of the forum, for example, can log on to their official site<http://www.bmforum.com find the patch related fields, such as http://www. bmforum. com/bmb/forums. php? 'forumid' =4 this address, look at the forum to the latest patch, which is also on their own and the customer is responsible for a behavior. In General, the forum Code of popularity the higher the degree, the Forum of the attack may be greater. As is well known, dynamic network Forum patch now can even and Microsoft is comparable. If you are using the dynamic network forum, You must always focus on its latest security dynamic, by dynamic network Forum, security magazines, security websites, so you can in the fastest time to understand the problem, and timely prevention and resolution of vulnerabilities.> In addition to the attention of the official patch, if the problem is more to learn, can be directly patched. The following line of code, using regular expressions, to determine if it contains javascript will be split, so that you can effectively eliminate cross-site attacks, the part of the code modified as follows: if ($allow['pic']){ $message = preg_replace("/\img\\ [\/img\]/eis","cvpic('\1')",$message); $message = preg_replace( '/javascript/i', 'java script', $message); }else{ 2. Read the code and understand the code Now, since a lot of forums the Install is very intelligent, many users do not bother to look at the code is how to achieve the function, click on the“next”or directly upload to the server everything will be fine. This is actually a bad habit, known for its natural also known to however, by carefully reading and understanding the code can truly find the problem areas. For example, in Web applications, database security is a very serious problem. A lot of code in the developer aware of such issues and carefully think about them there is a problem of where to do the remedies, but the common case is either not exhausted all the suspicious sites, either this remedy logically is incorrect. For a patient and sensitive sense of smell of the attacker, this sense of remedy and no remedy there is no essentially difference. Common input variables have three types: number, string and collection. For digital type input variable, a simple call to determine the function, see the code, all the check of such variables, almost all correct. For string type, is substantially inserted into the generated SQL statement, before and after the single quotation marks, if only from the destruction of the injection conditions, the single quotes replaced with two single quotation marks should be no problem. Similarly, if it is a string collection, can also be simple with this method. And if it is a digital collection, the situation may be a little trouble, at least you have to allow numbers, comma and perhaps a space or the like of symbols in the input normally appears, so that the filtering rules may seem complex. A typical example is that regardless of all the input variables have to remove the single quotes, or the single quotation marks is replaced into a legitimate two single quotes, for example: id = replace(request. querystring("id"), "'", "") This approach is likely to be wrong. Because the causesSQL injectionis not always a single quote, and then expand a little, causing the problem not any of the individual symbols. The correct use of the injection, the important point is closed in front of the sentence a SQL query statement, is often have to first properly closing the previous condition, because we may be in the same sentence inside the introduction of the new conditions, and remedies as long as the destruction of the injection conditions should be on it, but considering its complexity, the best or more complete restrictions about the input of character types. This requires the actual code more carefully. Therefore, in the use of the other party to submit the data first before doing a each other all the May into the character of the analysis list, and then on each input branch of the case type of audit, which is also each of the code users should understand some of the basic precautionary rules.

3. Check the site security log and Backdoor files In General, the intruder will always be more or less left some clues. Below, we to find out. Blue magic Forum has a“security log”section, it recorded some login information. Even if the attacker emptied the information, still will leave a similar record:“empty forum for security log”as a clever administrator, should be able to see some of the invasion of signs, rather than kept in the dark suffered. In addition, according to the analysis, we found that this version of the forum for 2 4 hours enter the administrator user interface is also recorded. Kick the patch is not representative of the problem has been solved. The attacker is likely to have uploaded a couple of web page Trojan horse program or modify a system setting, which requires a view in which changes in the part. Such as not long ago produced the move easy upload vulnerability, a variable error will cause the upload vulnerability. Because asp (back spaces)is not equal to the asp(no spaces), and Windows for across space the file will automatically remove the spaces, so when the attacker uploads an“asp ”of space the file it will become an asp that does not have spaces in the file. For this case, it is necessary to carefully review each of the uploaded files in the Save directory exists in asp, asa, cdx, cer, aspx, etc. file extensions, if it already exists, the description has been uploaded the Trojan, there is really no grasp of the case, it is necessary to remove all of the ASP file, and then re-download the official file cover. This also indirectly tell us in the Forum on the registration information, must pay attention to the protection of personal important information. If attackers get this information, such as specific birthday or secret question answers, he can easily change a user's mailbox password. Is by forum to obtain the user information to hack a mailbox, by re-setting the password, the user's mailbox information on fully grasp on the attacker's hands. 4. Multi-level to strengthen theWEB serversecurity In the field of network security, used to prevent from the Internet to the internal network attacks a firewall is very important, in addition, WEB serverit should be said is the second need for high security areas. Server Security consists of Several SECURE areas of the composition, in order to ensure that permit conditions under the highest degree of security protection, the security required in each area are to be consistent to achieve. Below are a few key prevention areas:  Infrastructure area. Infrastructure area the definition of the server location in the network, this area must be able to prevent data eavesdropping, network mapping and port scanning and other hacking threats. Moreover, it should also be able to track to an exposure ofWeb serverthe success of the invasion, because the invasion of the server may be used as attack other important servers of the base, in this way DoS attacks are the most common. In addition, you can also by a complex firewall or a simple router rule set, so that only the specified server service is allowed to access.  The network Protocol area. Network communication generally refers to all TCP/IP communication, however, some function or Protocol of the vulnerable points may be used to initiate attacks or vandalism. Therefore, the kernel must go through the necessary configuration, in order to block these types of attacks means. For theWEB serversome of the characteristics, therefore, the administrator has the necessary antidote against the disease, to understand some of the commonly used prevention methods. For example, Linux provides a feature called SYNcookies the most effective solutions, can effectively prevent SYN flood attacks.  Service area. The service area of defined need which services. Through the security policy on the server is only configured through the necessary operations required for the service, otherwise it will provide an attacker with more attack points. For example, there is no full authentication capabilities of the service or transmission is not encrypted sensitive data services such as Telnet, FTP or through the WWW transfer credit card of sensitive data), you should use the more secure the corresponding service of the alternatives, such as SSH, SSLftp or HTTPS.  Application area. For security purposes, each service must be individually configured. A configuration of a bad mail server may be used to send spam, the configuration of the badthe WEB serveryou can perform all the system commands.  Operating systemarea. In here, there should be an intrusion detection mechanism. If the application area of the security method of configuration is reasonable, even if an intruder successfully enters the computer system also did not have enough administrative privileges to complete the destruction of the work. The installation of the app, especially high-privileged program, it should be restricted in the operation of the system absolutely need the range. Of course, also can not ignore often the backup, and do not discard the old backup file. But there are a lot of people are using a virtual host, does not have permissions on the server to operate, if you want to backup data, it can be through the forum management interface provided by some backup means for data backup. Blue magic forum there is one on the exposed Web path problem for a similar problem, you can consider to turn off their servers in php. ini inside the display_errors option. However, this is in a stand-alone host or a separate server case. You can also refer to other forum in the repair method, as repair phpind Forum of similar problems, in the function prior to adding an“ at ”would not be an error. This is the initial code: if(in_array($tid_db[$i],$delid)){ The modified code is: if(@in_array($tid_db[$i],$delid)){ This article is completed, the network on the vulnerability is still emerging, thus leading to subsequent security issues still plague the US around every bit of security managers, I hope this article some of the recommendations to be able to this play a watchful role, and let everyone in the complex networks find their own foothold.