UberCMS Potential SQL exploit patch (housekeeping)

I'm not sure why I should do this. This community has done nothing for me besides for a few individuals. Anyways, I'm not going to bitch. I'll keep this simple.

After coding an extra feature into the UberCMS housekeeping I noticed that when I opened login.php (in /manage/pages) I found that the variable $password was unfiltered. Now, whilst I'm not sure if you can exploit this due to it being hashed right after it still could potentially be one (hence the title).

So to tighten up security and possibly evade a MySQL injection we can easily patch it by:

1) Open login.php in /manage/pages
2) Find

PHP Code:

---

 $password = $core->uberHash($_POST['pwd']); 


---

3) Add the filter tags around it filter() like so:

PHP Code:

---

$password = filter($core->uberHash($_POST['pwd'])); 


---

And there you go. A potential exploit fixed.

Just to add: If you do not understand this don't post. And if some one does ask a question on how to set this up/put it in don't answer them. It's clear as day so don't ease their stupidity.

thx

Kk thx

I wish I knew about this sooner. No one uses uberCMS now.

Anyway nice notice there Matt. Thanks.

Whats something besides Uber and pheonix that is good?

Quote:

---

Originally Posted by Quackster

I wish I knew about this sooner. No one uses uberCMS now.

Anyway nice notice there Matt. Thanks.

---

Yeah. It's quite sad. Everyone is using shitty Phoenix CMS now.

This isn't an exploit, you don't have to filter it as it is hashed and pretty much impossible to exploit. A way to check if it is an exploit is to actually exploit it, you know. I bet you haven't done that.

I congratulate you for trying to contribute though, you should release some of your stuff someday, it seems you're not a complete idiot like others.

Quote:

---

Originally Posted by Quackster

I wish I knew about this sooner. No one uses uberCMS now.

Anyway nice notice there Matt. Thanks.

---

I use UberCMS, and I'm always looking for exploits to patch :)

-----
So you're saying, this will patch it? (Possibly) ?? Or does it completely fuck it up?

---------- Post added at 02:41 PM ---------- Previous post was at 02:37 PM ----------

When I edited it, I noticed that the user names are filtered as well :P

as mathew said just let me zip my mouth close and just don't say nothing to multi but good patch , you always must be sure of something instead of leaving it and thinking its hashed so its impossible to exploit it

Quote:

---

Originally Posted by Kryptos

This isn't an exploit, you don't have to filter it as it is hashed and pretty much impossible to exploit. A way to check if it is an exploit is to actually exploit it, you know. I bet you haven't done that.

I congratulate you for trying to contribute though, you should release some of your stuff someday, it seems you're not a complete idiot like others.

---

That's what I was thinking also. Although this isn't really needed it's still a good security practice. Despite it being virtually impossible to send an exploit through a hash you never know. Maybe quotes and such? Better to be safe than sorry :)

But, that is why I did mark is a potential rather than critical.

Quote:

---

Originally Posted by Quackster

I wish I knew about this sooner. No one uses uberCMS now.

Anyway nice notice there Matt. Thanks.

---

i use my own ubercmes edit:blush:


there are more exploits in ubercms where sql injection is possible:closedeyes:

Quote:

---

Originally Posted by davidaap

i use my own ubercmes edit:blush:


there are more exploits in ubercms where sql injection is possible:closedeyes:

---

Same. Could you tell me some? You don't have to here. In PM?

Quote:

---

Originally Posted by Matthew

Same. Could you tell me some? You don't have to here. In PM?

---

i pm you :)

Quote:

---

Originally Posted by davidaap

i pm you :)

---

Pm me too :)

and me please, cheers.

no no and no :)

learn first to secure your website -,-

Quote:

---

Originally Posted by skunken1

Pm me too :)

---

What's the point in him PM'ing you anything about the exploits when you probably know nothing on the topic.

Quote:

---

Originally Posted by jamieturner

and me please, cheers.

---

Who are you asking? And to what ? (if me)

Quote:

---

Originally Posted by Matthew

Who are you asking? And to what ? (if me)

---

He ask if you'll add him xD

Btw, I think its useless to filter the password post.

Because:
The server get as response `' or '' = ''` (For example)

If you make a hash of it, you'll get something like: 08c0b7826294f319bdf2abf11b7af0fc

That's never a exploit? isn't?

Quote:

---

Originally Posted by joopie

He ask if you'll add him xD

Btw, I think its useless to filter the password post.

Because:
The server get as response `' or '' = ''` (For example)

If you make a hash of it, you'll get something like: 08c0b7826294f319bdf2abf11b7af0fc

That's never a exploit? isn't?

---

Yeah I was thinking the same too but as said before I said potential for a reason. There *might* be a way of getting around the hash and executing a rogue query. We simply do not know. But it's better to be safe than sorry right? Like. If filtering is not going to change anything you may as well do it ? :)

Quote:

---

Originally Posted by Matthew

Yeah I was thinking the same too but as said before I said potential for a reason. There *might* be a way of getting around the hash and executing a rogue query. We simply do not know. But it's better to be safe than sorry right? Like. If filtering is not going to change anything you may as well do it ? :)

---

Uhm, Maby true :P, But I don't think it can xD

Btw, Change it also for the `index.php` i thought that one was also unfiltered:ott1:

This is not exploitable, as the value returned is a hash, and nothing more. You can not inject anything within the query as the value returned by uberHash will only be letters and numbers.

/facepalm

Quote:

---

Originally Posted by RastaLulz

This is not exploitable, as the value returned is a hash, and nothing more. You can not inject anything within the query as the value returned by uberHash will only be letters and numbers.

/facepalm

---

Thank you for repeating me?

Quote:

---

Originally Posted by joopie

Thank you for repeating me?

---

Repeating you? I simply looked at the thread, and responded.

Also, thanks for repeating Kryptos.

Quote:

---

Originally Posted by joopie

Thank you for repeating me?

---

You can't say that because you repeated what Kryptos said ;D

Quote:

---

Originally Posted by Hejula

You can't say that because you repeated what Kryptos said ;D

---

A, Yes, xD, I saw it wen RastaLulz posts his reaction xD, I always read the first post and the last few posts :P

Quote:

---

Originally Posted by Matthew

Yeah. It's quite sad. Everyone is using shitty Phoenix CMS now.

---

Wrong, Habrockz and Luxo Hotel both use uberCMS but heavily modified.

hobbs hotel use ubercms {A}

I also use an uberCMS edit. However i've had my cms fully secured for a while now. That won't be an exploit in a password field cause it's hashed and it's not counted as real input? I'm not sure how it's processed.

Thanks though.

Jontycat

Quote:

---

Originally Posted by RastaLulz

This is not exploitable, as the value returned is a hash, and nothing more. You can not inject anything within the query as the value returned by uberHash will only be letters and numbers.

/facepalm

---

'k. You're 3 posts late. This has been said already. Understand I'm a novice programmer (I've only being doing this a few months and im learning still) and that I'm not stupid. The mark 'Potential' in the title means I'm not sure if it is. I released something which *could* have been very beneficial to the community. Some one else could've found this out before me and gone around exploiting hotels have this not been a hash.

So, whilst the release its self as not useful. The thought of releasing a fix to release a *maybe* exploit is, imho.

Also, you was once like me in terms of knowledge of programming so ending your post with "/facepalm" is hypercritical of you as you once make mistakes and didn't take things into account your self.

So shut the fuck up, all of you. I'm now aware and I was after Kyrptos' post

Quote:

---

Originally Posted by Matthew

'k. You're 3 posts late. This has been said already. Understand I'm a novice programmer (I've only being doing this a few months and im learning still) and that I'm not stupid. The mark 'Potential' in the title means I'm not sure if it is. I released something which *could* have been very beneficial to the community. Some one else could've found this out before me and gone around exploiting hotels have this not been a hash.

So, whilst the release its self as not useful. The thought of releasing a fix to release a *maybe* exploit is, imho.

Also, you was once like me in terms of knowledge of programming so ending your post with "/facepalm" is hypercritical of you as you once make mistakes and didn't take things into account your self.

So shut the fuck up, all of you. I'm now aware and I was after Kyrptos' post

---

Calm down, I wasn't being aggressive I was simply stating. If you read my posts it's pretty much sounding like I was trying to explain it to myself while asking a question to those around us who are better. You're being a tool, not me.

Also, haven't you been going around acting like you're an amazing programmer, posting on developments like you know something, but now, you're calling yourself a novice? Steep drop. Professional to novice.

Not having a go at you - good release, thanks for sharing it with the community as the retro community is dying, so we all need to start contributing or shit's gonna go down, fast.

Thanks & good luck with future learning.

Jonty, it wasn't aimed at you. I never claimed to be a professional. I could probably write a hole CMS if I really wanted to. I have an understanding of most things. But I couldn't write forum software like.. vBulletin. So, I'm kind of inbetween. I didn't know what to name my self so I thought novice might be the best one. Considering It's only been a few months, ya know? Or maybe a better word would be like.. 'standard'? I'm not sure now to measure coding knowledge.

Quote:

---

Originally Posted by Hejula

You can't say that because you repeated what Kryptos said ;D

---

You can't say that because you repeated what Habbo said ;D

Quote:

---

Originally Posted by Matthew

Jonty, it wasn't aimed at you. I never claimed to be a professional. I could probably write a hole CMS if I really wanted to. I have an understanding of most things. But I couldn't write forum software like.. vBulletin. So, I'm kind of inbetween. I didn't know what to name my self so I thought novice might be the best one. Considering It's only been a few months, ya know? Or maybe a better word would be like.. 'standard'? I'm not sure now to measure coding knowledge.

---

Yeah, realised after I posted. Thought you quoted my post. Sorry.

Standard is a good word. I don't know what to class myself but after writing a few CMS systems I find it now rather quite easy to write a CMS - but that's probably not my skill just how used to it I am.

If you require any help feel free to ask me. Also - I might have scoped you out for a project I may start later if you're interested.

Jcat

Quote:

---

Originally Posted by Jontycat

I also use an uberCMS edit. However i've had my cms fully secured for a while now. That won't be an exploit in a password field cause it's hashed and it's not counted as real input? I'm not sure how it's processed.

Thanks though.

Jontycat

---

fully secured? :

Code:

---

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' LIMIT 1' at line 1

---

no not fully secured ;)

Quote:

---

Originally Posted by Matthew

'k. You're 3 posts late. This has been said already. Understand I'm a novice programmer (I've only being doing this a few months and im learning still) and that I'm not stupid. The mark 'Potential' in the title means I'm not sure if it is. I released something which *could* have been very beneficial to the community. Some one else could've found this out before me and gone around exploiting hotels have this not been a hash.

---

Three posts late? Sorry, I forgot that once a thread has been responded to with common sense that no one after that was allowed to respond, with additional common sense. I love how you take my post as an insult - it was simply telling you what the issue was, and how the code itself was not exploitable.


I don't care if you're learning or not - you shouldn't be releasing stuff that you haven't even bothered testing, or researching. That's like me coding a template purely in Notepad, and releasing it without checking it in my browser for issues within the code before I released it.

Quote:

---

Originally Posted by Matthew

So, whilst the release its self as not useful. The thought of releasing a fix to release a *maybe* exploit is, imho.

---

Really? Because I know that when people run a web script, they never worry about exploits within the script itself; thank you for enlightening all of us on how to patch stuff that is already patched.

Quote:

---

Originally Posted by Matthew

Also, you was once like me in terms of knowledge of programming so ending your post with "/facepalm" is hypercritical of you as you once make mistakes and didn't take things into account your self.

---

When I used "/facepalm", I was simply referring to your continuation of telling people that it could be possible for someone to exploit this, instead of listening to them, and learning from what they told you.

Quote:

---

Originally Posted by Matthew

So shut the fuck up, all of you. I'm now aware and I was after Kyrptos' post

---

Then close the thread, as it is worthless.

Quote:

---

Originally Posted by RastaLulz

I love how you take my post as an insult - it was simply telling you what the issue was, and how the code itself was not exploitable.

---

Yes. But I realised that before, if you bothered to read. I didn't take your post as an insult. If people get insulted of what's wrote on the internet they are weak and stupid.

Quote:

---

Originally Posted by RastaLulz

I don't care if you're learning or not - you shouldn't be releasing stuff that you haven't even bothered testing.

---

Fair enough. I did, but as stated before I don't know that much. Just enough. There might have been other possible ways. However I won't bother releasing the other patches in the future. The actual serious ones. (thanks David).

I just think there has been a miscommunication here that's all. So folks this isn't an exploit. I just thought it might have been with out realising what it does fully.

Thanks for the patch amen.

Finally. Thx mate

The password is sha1'd it doesnt need to be filtered...........why would you filter a sha1 hash? since its hashed anything they enter will be hashed.

$not_secure = $_POST['password'];
$secure = $core->sha1thisbitch($_POST['password']);

Quote:

---

Originally Posted by XenoGFX

The password is sha1'd it doesnt need to be filtered...........why would you filter a sha1 hash? since its hashed anything they enter will be hashed.

$not_secure = $_POST['password'];
$secure = $core->sha1thisbitch($_POST['password']);

---

And this has been mentioned in this thread like 10 times over, why do you feel the need too repeat everybody lol.
Posted via Mobile Device

Atleast you bothered to throw in a contribution you should be getting thanked for attempting to.

Nice attempt ;)