[Release] phoenixCF backdoor fix

[duckietm]

After a few hack's on my phoenixCF (wich is pretty standaard) hackers found a way to take somebody's account including the admin accounts.
I found that they can use the characters.cfm and settings.cfm to take over your account with the use of email !
What to do :

Download : http://www.mediafire.com/?5a8eoq09vo8e6dt

- Replace the files with the one's from the package
- Remove from "##ROOT##\system\functions"
UPDATEMAIL.CFM

Some texts in settings are still dutch just update the one's from the originals

What does this basicly do :
- Users are not able to login anymore with the email-address but only with the username
- If the do login with the email they can select there username and promted to login with password for that user so they can't go into that account !
- Remove update email from the user settings

This is a quickfix that works !!! If you got a better solution please post so we can have a look at that too !!!

[GertJanA]

Nice release!

Another download url: ItalFiles ~ phoenixCF backdoor fix
Direct Download

Why do you always upload an other mirror? :p

Greetz,

[tdid]

After a few hack's on my phoenixCF (wich is pretty standaard) hackers found a way to take somebody's account including the admin accounts.
I found that they can use the characters.cfm and settings.cfm to take over your account with the use of email !
What to do :

Download : Fix-phoenixCF.rar

- Replace the files with the one's from the package
- Remove from "##ROOT##\system\functions"
UPDATEMAIL.CFM

Some texts in settings are still dutch just update the one's from the originals

What does this basicly do :
- Users are not able to login anymore with the email-address but only with the username
- If the do login with the email they can select there username and promted to login with password for that user so they can't go into that account !
- Remove update email from the user settings

This is a quickfix that works !!! If you got a better solution please post so we can have a look at that too !!!

Is this backdoor possible in phoenix php?

[duckietm]

i don't know about phoenixPHP as coldfusion is something else then PHP

[tdid]

i don't know about phoenixPHP as coldfusion is something else then PHP

Could you pm on how to test if so? Cause I use phoenix php.

[ησвяαιη]

And Aaron said PhoenixCF is secure... ;)
Posted via Mobile Device

[mmaxwell]

And Aaron said PhoenixCF is secure... ;)
Posted via Mobile Device

yes but unlike you we dont have thejacob liking our ass and how long has this taken to find and its only 1 exploit so it is secure

[FullmetalPride]

And Aaron said PhoenixCF is secure... ;)
Posted via Mobile Device

Off Topic: You're still on RaGEZONE? Huh.

On Topic: Thanks for this. I'm just glad I'm not using some half-assed CMS with messy code. It's so fucking easy to edit the damn thing. Apart from the functions (Which are encrypted).

[Shorty]

What are the exact changes you've made to all the files? Just finding it hard that nobody ever used this on Habboon.com if you can gain access to Administrator accounts.

You said remove updatemail.cfm yet I can't exactly see a problem unless you were on the same network as the person you're trying to take over, as the session checks aren't correctly done but it checks your IP Address, so all is good. updatemail.cfm selects data that isn't needed, that's about it.

[FullmetalPride]

What are the exact changes you've made to all the files? Just finding it hard that nobody ever used this on Habboon.com if you can gain access to Administrator accounts.

You said remove updatemail.cfm yet I can't exactly see a problem unless you were on the same network as the person you're trying to take over, as the session checks aren't correctly done but it checks your IP Address, so all is good. updatemail.cfm selects data that isn't needed, that's about it.

Off Topic: Why exactly did you encrypt the functions?

On Topic: What's exploitable about the mail, anyways? It didn't make much sense when you said it.

[Shorty]

Off Topic: Why exactly did you encrypt the functions?

On Topic: What's exploitable about the mail, anyways? It didn't make much sense when you said it.

Not sure why the functions were encrypted, you would need to ask Aaron.

I don't see anything wrong with the mail, apart from it pulls all the user information instead of the mail column. However you could probably fake the session if you're on the same network as the account you're trying to access.

[FullmetalPride]

Not sure why the functions were encrypted, you would need to ask Aaron.

I don't see anything wrong with the mail, apart from it pulls all the user information instead of the mail column. However you could probably fake the session if you're on the same network as the account you're trying to access.

Wouldn't your cache/cookies also define a current session, and deny it if you don't have the auth token, like phpMyAdmin?

[Shorty]

Wouldn't your cache/cookies also define a current session, and deny it if you don't have the auth token, like phpMyAdmin?

The way Aaron checks the sessions is bad, there's ways to fake the session pointed out by Oleg, however because it checks the last ip address it doesn't turn into that much of a problem.
Posted via Mobile Device

[FullmetalPride]

The way Aaron checks the sessions is bad, there's ways to fake the session pointed out by Oleg, however because it checks the last ip address it doesn't turn into that much of a problem.
Posted via Mobile Device

Ah, that explains it. I'm going to continue using this and Phoenix CF, because it's the ultimate CMS (Until I find a decent UberCMS edit that's not exploitable. Then I can get actual features!)