1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

AVArcade Script v2.1 and Lower Hacked...Heres how to fix it!!!

Discussion in 'Security' started by jmhyer123, Jul 4, 2007.

  1. #1
    Recently there was a couple exploits posted for AVArcade script ver. 2.1b and lower.

    #1:
    Privledge Escalation via Cookie Manipulation

    #2:
    Remote SQL Injection (view-page.php)

    I have noticed that alot of sites have fallen susceptible to these attacks and have been defaced or completely taken down. Here is how to fix these vulnerabilities:

    #1: The first exploit takes advantage of a flaw in the cookies and how they check for admin privledges.

    I have not figured a way out to fix this one so if you have any ideas please let me know and I can test them out and post them. If you have already fixed this please show us how you did it so we can fix our sites


    #2: The second exploit takes advantage of the php code in includes/view-page.php, it doesn't validate the supplied input via the URL therfore allowing a visitor to do some SQL injection and get the hashed admin password, or any users password for that matter. It is explained in detail in the URL so here is how to fix it.

    In includes/view-page.php replace this:
    
    <?php
    include ('config.php');
    $con = mysql_connect("$server","$username","$password");
    if (!$con)
      {
      die('Could not connect: ' . mysql_error());
      }
    mysql_select_db("$database", $con);
    $sql = mysql_query("SELECT * FROM ava_pages WHERE id=".$_GET['id']."");
    while($row = mysql_fetch_array($sql)) {
    echo ''.$row['page'].'';
    }
    
    ?>
    
    Code (markup):
    with this:

    
    <?php
    include ('config.php');
    $con = mysql_connect("$server","$username","$password");
    if (!$con)
      {
      die('Could not connect: ' . mysql_error());
      }
    
    $id = $_GET['id'];
    $length = strlen($id);
    if ($length < 2) {
    
    mysql_select_db("$database", $con);
    $sql = mysql_query("SELECT * FROM ava_pages WHERE id=".$_GET['id']."");
    while($row = mysql_fetch_array($sql)) {
    echo ''.$row['page'].'';
    }
    
    }
    else {
    echo '[COLOR="Red"]<center><b>WHATEVER TEXT YOU WANT THE POTENTIAL HACKER TO SEE WHEN THEY TRY TO HACK YOU</b></center>[/COLOR]';
    }
    ?>
    
    Code (markup):
    (Change the red text to whatever you want it to say or whatever code you want it to run.

    This effectively eliminates the SQL injection vulernability by only allowing "id" variable to be less than 2 characters long. To perform a SQL injection it would have to be much longer. This allows the view-page.php page to still work to deliver the user pages but eliminates the SQL injection vulnerability.

    *NOTE: I am sure there are better ways to correct this problem, this is just how I did it on my site and if you have a better way of correcting this please post it and let us know!

    I know this "tutorial" was very technical and if you have an arcade website based on AVArcade script that is vulernable yet you can't fix it just PM me and I would be glad to help you fix it.

    I hope this helped someone, if you found it useful I would appreciate some rep but it's not required.

    Thanks and Best of Luck!
    Jeffrey
     
    jmhyer123, Jul 4, 2007 IP
  2. DRoP

    DRoP Peon

    Messages:
    182
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    0
    #2
    couldn't both of these exploits be solved by passwording the admin directory via cpanel?
     
    DRoP, Jul 4, 2007 IP
  3. CodyRo

    CodyRo Peon

    Messages:
    365
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    0
    #3
    The way you fixed the SQL injection isn't the proper way to do it.. you should do something along the lines of:

    
    <?php
    include ('config.php');
    $con = mysql_connect("$server","$username","$password");
    if (!$con)
      {
      die('Could not connect: ' . mysql_error());
      }
    mysql_select_db("$database", $con);
    $sql = mysql_query("SELECT * FROM ava_pages WHERE id=".(int)$_GET['id']."");
    while($row = mysql_fetch_array($sql)) {
    echo ''.$row['page'].'';
    }
    
    ?>
    
    PHP:
    That's actually a cheap way to do it too, but effective.. What you're doing is forcing the "$_GET['id']" to be a integer regardless of what is used. The proper way would be to run it through the mysql_real_escape_string().

    As for the cookie issue.. what the code is doing is moronic.. it only checks the user iD and doesn't even compare passwords. I can't fix it with the stuff you pasted, but if it's that poorly done I wouldn't recommend using it anymore.

    Yes.. all that does it protect the whole directory with .htaccess.. which effectively means the scripts won't even run until you login through it.

    Bit late so sorry if the above doesn't make sense.. PM if if you have any questions / etc :)
     
    CodyRo, Jul 5, 2007 IP