Possible Attack in admin area

870 posts

Am not sure if this one was fixed too or not . But i would like someone to test it and make sure that everything is okay . because i get possible attack now in here :

Admin---->Menu---->Builder------>Navigatiom Menu---->Ads,blogs,chat,Files,Photos,Sites,Sounds,Videos,Boards,Events,

Admin----->Member Menu----->Active Items---->member Block,status message

Admin--->Profile Fields--->Active Items--->General info--->couple,nickname,firstname,lastname,passowrd,email

Admin--->Profile Fields--->Active Items--->Misc Infor--->from sex to Profile Photo

Admin---> Profile Fields--->Active Items--->Captcha--->Captcha,Termsuses

In Admin Profile Fields the problem is i can't save and again email sent possible attack email is :

Total impact: 24
Affected tags: xss, csrf, id, rfe, lfi

Variable: REQUEST.Check | Value: return (bool) preg_match(\'/^([a-z0-9\\+\\_\\-\\.]+)@([a-z0-9\\+\\_\\-\\.]+)$/i\', $arg0);
Impact: 12 | Tags: xss, csrf, id, rfe, lfi
Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8
Description: Detects code injection attempts 2/3 | Tags: id, rfe, lfi | ID: 59

Variable: POST.Check | Value: return (bool) preg_match(\'/^([a-z0-9\\+\\_\\-\\.]+)@([a-z0-9\\+\\_\\-\\.]+)$/i\', $arg0);
Impact: 12 | Tags: xss, csrf, id, rfe, lfi
Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8
Description: Detects code injection attempts 2/3 | Tags: id, rfe, lfi | ID: 59
Centrifuge detection data Threshold: 3.49 Ratio: 2.32142857143

REMOTE_ADDR: xxxxxxxxxxxxxxx
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:

-----------------------------------------------------------------------------------------------------------------

all of those in the bottom here are related to the Navigation Menu and Member Menu when i want to modify something and save it keep loading and loading.... got possible attack email sent to the admin area instead of possible attack showing in the admin area !:

Total impact: 10
Affected tags: dt, id, lfi

Variable: REQUEST.Link | Value: modules/?r=photos/home/|modules/?r=photos/
Impact: 5 | Tags: dt, id, lfi
Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID: 11

Variable: POST.Link | Value: modules/?r=photos/home/|modules/?r=photos/
Impact: 5 | Tags: dt, id, lfi
Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID: 11

REMOTE_ADDR: xxxxxxxx
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:

------------------------------------------------------------------------------------------------------------------

Total impact: 10
Affected tags: dt, id, lfi

Variable: REQUEST.Link | Value: modules/?r=videos/home/|modules/?r=videos/
Impact: 5 | Tags: dt, id, lfi
Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID: 11

Variable: POST.Link | Value: modules/?r=videos/home/|modules/?r=videos/
Impact: 5 | Tags: dt, id, lfi
Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID: 11

REMOTE_ADDR: xxxxxxxxxxxxxxxxxxxxxxxx
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:

------------------------------------------------------------------------------------------------------------

Total impact: 10
Affected tags: dt, id, lfi

Variable: REQUEST.Link | Value: modules/?r=events/home/|modules/?r=events/
Impact: 5 | Tags: dt, id, lfi
Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID: 11

Variable: POST.Link | Value: modules/?r=events/home/|modules/?r=events/
Impact: 5 | Tags: dt, id, lfi
Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID: 11

REMOTE_ADDR: xxxxxxxxxxx
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:

--------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------- THE LIST IS LONG :)

PLease let me know if this issue was fixed or it's a new one .

Thanks.

Eli.

Proud Hosted by Zarconia.net

Quote · 7 Nov 2009

EliAdvanced

870 posts

Anyone can suggest something about this new possible attack in admin area ?

Proud Hosted by Zarconia.net

Quote · 7 Nov 2009

EliAdvanced

870 posts

You guy's can you please check it out for me , and pot here if it does work for you or not .

Thanks ,

Eli.

Proud Hosted by Zarconia.net

Quote · 8 Nov 2009

AlexTNavigator

6101 posts

Thank you for reports it is already fixed.

Rules → http://www.boonex.com/terms

Quote · 9 Nov 2009

houstonlivelyBosun

6808 posts

Thank you for reports it is already fixed.

Thanks Alex. Don't forget to say it's fixed in all 6 of Eli's attack posts.

My opinions expressed on this site, in no way represent those of Boonex or Boonex employees.

Quote · 9 Nov 2009

EliAdvanced

870 posts

Thank you for reports it is already fixed.

Thanks Alex. Don't forget to say it's fixed in all 6 of Eli's attack posts.

That's cool if it's fixed but can you please provide me with the link for this fix because i can't manage to get it , i did look more then one time in the Trac and ticket section but can't manage to find it .

Please i need the link for the fix.

Thank you.

Eli.

Proud Hosted by Zarconia.net

Quote · 9 Nov 2009

houstonlivelyBosun

6808 posts

You can try downloading/replacing these files.

http://www.boonex.com/trac/dolphin/export/13184/trunk/plugins/phpids/IDS/Config/Config.ini

http://www.boonex.com/trac/dolphin/export/13184/trunk/plugins/phpids/IDS/default_filter.xml

My opinions expressed on this site, in no way represent those of Boonex or Boonex employees.

Quote · 9 Nov 2009

EliAdvanced

870 posts

man i did replace the full new security update package that include administration and inc and the rest you state there but this possible attack come from no where , anyway am updating again and i will let you know in few minut ;)

Thanks but i will keep you updated soon

Proud Hosted by Zarconia.net

Quote · 9 Nov 2009

EliAdvanced

870 posts

Man i ve tried those files you gave me but it seems they are no use for the kind of possible attack that i got here :

Admin-----> Builders------>Navigation Menu-----> If i click on VIDEO and try to modify something click on Save it keep loading forever and an email sent to my admin inbox : for your information am using the latest updat that was provided by ALex ------> Trunk---Administrator,Inc,Install,modules,plugins,join,pedit....

Total impact: 10
Affected tags: dt, id, lfi

Variable: REQUEST.Link | Value: modules/?r=videos/home/|modules/?r=videos/
Impact: 5 | Tags: dt, id, lfi
Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID: 11

Variable: POST.Link | Value: modules/?r=videos/home/|modules/?r=videos/
Impact: 5 | Tags: dt, id, lfi
Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID: 11

REMOTE_ADDR:xxxxxxxxxxxxxxxxxxxx
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:

Proud Hosted by Zarconia.net

Quote · 9 Nov 2009

EliAdvanced

870 posts

Guy's come on let be honnest to one another , long time ago was released a fix for the possible attacks , some of you had no problem since uploaded the new folder to them root , i did the same . But yesterday and today now in the Banner Section i got Possible Attack even if i did upload the Fix for it, this is what i got now :

Total impact: 56
Affected tags: xss, csrf, id, rfe, lfi, sqli

Variable: REQUEST.Url | Value: <script type=\"text/javascript\"> </script> <script type=\"text/javascript\" src=\"http://pagead2.googlesyndication.com/pagead/show_ads.js\"> </script>
Impact: 28 | Tags: xss, csrf, id, rfe, lfi, sqli
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
Description: finds attribute breaking injections including whitespace attacks | Tags: xss, csrf | ID: 2
Description: Detects obfuscated script tags and XML wrapped HTML | Tags: xss | ID: 33
Description: Detects common comment types | Tags: xss, csrf, id | ID: 35
Description: Detects comments to exploit firefox' faulty rendering and proprietary opera attacks | Tags: xss, csrf, id | ID: 36
Description: Detects possibly malicious html elements including some attributes | Tags: xss, csrf, id, rfe, lfi | ID: 38
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43

Variable: POST.Url | Value: <script type=\"text/javascript\"> </script> <script type=\"text/javascript\" src=\"http://pagead2.googlesyndication.com/pagead/show_ads.js\"> </script>
Impact: 28 | Tags: xss, csrf, id, rfe, lfi, sqli
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
Description: finds attribute breaking injections including whitespace attacks | Tags: xss, csrf | ID: 2
Description: Detects obfuscated script tags and XML wrapped HTML | Tags: xss | ID: 33
Description: Detects common comment types | Tags: xss, csrf, id | ID: 35
Description: Detects comments to exploit firefox' faulty rendering and proprietary opera attacks | Tags: xss, csrf, id | ID: 36
Description: Detects possibly malicious html elements including some attributes | Tags: xss, csrf, id, rfe, lfi | ID: 38
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43

REMOTE_ADDR: xxxxxxxxxxxxxx
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP: