● [ SECURITY UPDATE ] - Please Read

Mon Apr 24, 2023 12:36 pm
Clan Leader
Top Dog
Nuke Dev / Coder
3017 Posts
coRpSE
In-Game
The Isle

Most Played:
This week: 89.2hrs.
Total Played: 281hrs.


  
Reputation: 7321.7
votes: 7
Expand


Before we start, some things to know first:
  • Q: What version of nuke have this vulnerability?
  • A: I have only looked at Evo, RavenNuke, and Titanium, and all of them have this issue. It may be spread to the basic PHPNuke, but I have not looked into it. As for other versions of nuke, they may, or may not have this problem, and only me seeing it I could tell you if it does or doesn't.

  • Q: When will the patch be released?
  • A: Once testing goes through and no issues, we will release it with the next update of Evo.

  • Q: Why wait?
  • A: We want to verify that there are no bugs, also, the next update is coming soon.

  • Q: Are you releasing the fix to the other systems?
  • A: Yes and No. Yes, I am going to be telling them of the issue, but since our systems are different, our way may not be right for them. As they have their own `developers`, they will need to update their system themselves.

  • Q: How serious is this threat?
  • A: Very, and also not very. I can't go into details just yet, for if I did, that would just open up for bad actors to try to target others sites exploiting this. This vulnerability has been here for many years, and nobody has found it, so I think a few more weeks is fine.


Okay, a few days ago, while working on a security update that I was thinking for the next release, I found a security vulnerability within the CMS that I felt needed immediate attention. Luckily, the update that I was testing and working on which lead me to the problem was also the fix. I told Lonestar of the issue and gave him step-by-step instructions on how to do it, and he was even surprised by it. I had passed off what I was working on and how it took me to the bug, and he took it from there and following a similar path of what I was doing, came up with the solution we are using ATM.

As I said above, I can not go into details on exactly what it is, but I do have some instructions for you guys on here to secure up your site.

  1. If you didn't log in when you came to my site here to read this, please log out.
  2. Log back into the site and that's it.


I know, we made it difficult to secure your self.
If you have any issues logging back in, feel free to contact me either on Lonestars site, Evo Xtremes site, or TS3, Discord, or email me at
Please login to see this email
Get registered or Log in


Also, another update with the fix we are testing is now you can log in using either your username, or, your email. No longer bound to just using your username.


Expand
Mon Apr 24, 2023 3:01 pm
Original Poster
Clan Leader
Top Dog
Nuke Dev / Coder
3017 Posts
coRpSE
In-Game
The Isle

Most Played:
This week: 89.2hrs.
Total Played: 281hrs.


  
Reputation: 7321.7
votes: 7
Okay, a bit of an update. If you have accounts on our site here,
Please login to see this link
Get registered or Log in
, or
Please login to see this link
Get registered or Log in
, both of the sites have been updated with the fix and all you need to do is log out and log back in.

Also, I contacted RN administration about this yesterday, and I have informed TheGhost over at Titanium about this security exploit, and it is up to them to take the necessary steps for their systems. I have told them what we did to address the situation, and it's up to them to follow through with a fix.


 
Tue May 02, 2023 11:20 am
Spammer
117 Posts
Reputation: 247.5
— coRpSE wrote
It may be spread to the basic PHPNuke


All (if not) most of the CMS derived from PHPNuke, that currently have this issue include Dragonfly CMS. I am pretty sure it is the code base for PHPNuke that is causing the problem with this vulnerability. That's just my thought.


Expand
Tue May 02, 2023 12:05 pm
Original Poster
Clan Leader
Top Dog
Nuke Dev / Coder
3017 Posts
coRpSE
In-Game
The Isle

Most Played:
This week: 89.2hrs.
Total Played: 281hrs.


  
Reputation: 7321.7
votes: 7
— EmeraldDragon wrote
— coRpSE wrote
It may be spread to the basic PHPNuke


All (if not) most of the CMS derived from PHPNuke, that currently have this issue include Dragonfly CMS. I am pretty sure it is the code base for PHPNuke that is causing the problem with this vulnerability. That's just my thought.


I did check the most recent version of PhpNuke that I could find and yes, this exploit is there.
Without going into too many details on the exploit I found, this vulnerability would require someone to do a cookie hijacking against you, and once they had your cookie, using a little bit of work, they "could" get your password using a dictionary/brute force attack. There is a chance they wouldn't get it, but, the steps I gave to Lonestar to do it, was enough for us to put this out there to warn people, especially these other systems that are using Nuke as their base, so they can get a fix out there for their community.

Since this requires someone to do a cookie hijacking, that is why in the Q&A I did, I said it was "very serious" and "not very". Very being they can get in, and get your password, not very, they would need to first do a cookie hijacking. Well, looks like our fix works. The other systems, they have been notified, but it will be up to them to fix it.


 
Wed May 17, 2023 7:19 pm
NOOB!!!
6 Posts
Reputation: 79.6
Any idea when you will be releasing the fix? Are you releasing it seperate or in the next release only?
Wed May 17, 2023 7:26 pm
Original Poster
Clan Leader
Top Dog
Nuke Dev / Coder
3017 Posts
coRpSE
In-Game
The Isle

Most Played:
This week: 89.2hrs.
Total Played: 281hrs.


  
Reputation: 7321.7
votes: 7
It will not be a separate thing. We are going to release it with the next release.
As for when, well, once Lonestar finishes up with some of the changes he wants to be done, then we need to do some testing before we make it public. If we have to learn anything from the last release, we can't skip the testing, and we need more than just the two of us.


 
Sun Jun 11, 2023 9:33 am
NOOB!!!
1 Posts
Reputation: 0.5
Any chance you can release this patch separate for those of us who don't want to update to the next release..?
Sun Jun 11, 2023 12:23 pm
Original Poster
Clan Leader
Top Dog
Nuke Dev / Coder
3017 Posts
coRpSE
In-Game
The Isle

Most Played:
This week: 89.2hrs.
Total Played: 281hrs.


  
Reputation: 7321.7
votes: 7
The-UnXpLaiNeD, I don't know if we will release it separate ATM, for we are still making sure we got all areas done, but, when it's done, who knows.
If you like to have this sooner and help us test it, feel free to shoot me a PM, and we can see about getting you set up.


 
Forums ©