Possible security hole

Found something that doesn't work as expected? Encountered PHP errors? Submit your bug reports here!
edwin
Posts: 3
Joined: Sat Dec 17, 2005 10:27 am

Possible security hole

Postby edwin » Sun Nov 04, 2012 11:14 am

Hi guys,
Last week one of our sites got defaced. Someone just logged in with an admin account, changed the skin, and tried to install and use a toolbox script, by enabling php uploads. Nucleus actionlog didn't show any login errors, so it seemed to work at first try.

Examining server accesslogs I found lots of requests like:
"GET /index.php?catid=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343
830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x3130323534
3830303536......etc

It's a way to get data from your database, and it seemed to have worked for them. So probably there's some vulnerability.
ftruscot
Nucleus Guru
Nucleus Guru
Posts: 7430
Joined: Wed Feb 22, 2006 6:19 pm
Location: Massachusetts
Contact:

Postby ftruscot » Sat Nov 10, 2012 2:22 am

Those requests would get an error page, I suspect, because catid will be treated as an integer and only the 999999 would be read. But I'll peak at it to be sure.

What version of nucleus are you using?

As for someone logging in with your admin account, that could be due to many things external to nucleus, such as a key logger or other virus on a machine you used to login, or a net Sniffer on an insecure wifi connection, etc. If they got your Nucleus credentials one of these ways, they could have gotten other passwords, too. So maybe change other important passwords.
Is your question not solved yet?
Search our FAQ,
read the Documentation, or
browse the list of available plugins.

Check out my plugins

Return to “Bug Reports & Feature Requests”