ok osi got hacked, here are the details of my findings

***this post was added on the main site
irc.cyberarmy.com
Posted on Tuesday, September 17 @ 04:06:43 EDT by m101
[ Edit | Delete ]  
 

 Sorry to inform you people in irc.cyberarmy.com that you have to be sorrily disappointed. This is just to prove to you that i did do it within the thirty minutes time period set. Sorry to any that i have inconvenienced by this action... m101 ~Your Fate has been decided...  

***m101 also added himself as an admin user

*** his irc connection was as follows
m101 is cgiirc@CDB9204.549D004F.7D32077F.IP * [cb99e792] Ictoadd.com CGI:IRC User
m101 is using modes +x
m101 is connecting from *@209.151.80.64
m101 on #cyberarmy 
m101 using ctroc.cyberarmy.com Levels of perfection, go figure.
m101 has been idle 1min 24secs, signed on Tue Sep 17 09:02:05
m101 End of /WHOIS list.
 
appears to be also known as {Dark^Wolf} 

*** here is the log of my conversation with him following the breach



Start of m101 buffer: Tue Sep 17 10:18:34 2002
Session Ident: m101 (moos@2867FCF5.D6DA63FF.6A6BACC5.IP)
<bb> cmon, talk to me
<m101> thanks
<bb> aah 
<m101> whats your nick on the site
<m101> ?
<bb> yeah, i removed the post, and your author
<bb> do i need to change all the admin accounts too?
<m101> nah
<m101> didnt touch any of them
<bb> no, but did you exploit one to add yourself?
<m101> i didnt touch the db either
<m101> no i didnt exploit any admin passes or anything
<bb> or was it a reply via personal msg cookie hack?
<m101> within half an hour?
<bb> i dont know anything about half an hour
<m101> it would take me longer than that to crack a md5 hash
<bb> you dont need to
<bb> you can just use the admin cookie
<bb> hmm
<m101> nope
<bb> but you added yourself as an admin
<m101> i could, but didnt
<bb> wanna share the trick?
<bb> or its for me to find out ;-)
<m101> its to do with a form of script injection
<bb> already documented?
<m101> basically making it redirect other requests so that they do as i wish
<m101> and no it isnt documented
<bb> ah nice
<bb> your famous ;-)
<bb> care to recommend corrective action?
<m101> not right now, in a few mins
<m101> im on a public box
<m101> dont like leaving stuff around
<bb> ya k
<m101> could you atleast post that i did it in the main chan?
<bb> sure
<bb> you did well
<m101> thanks
<m101> your barnseyboy?
<bb> topic
<bb> fair enough?
<m101> thanks
<bb> you will enlighten me later?
<m101> sure
<bb> i appreciate your position on this
<m101> your barnseyboy?
<bb> i am
<m101> would have been helpful to know, bb didnt click ;)
<bb> heh
<bb> i havent seen u around 
<m101> talk tomorow sorry, gtg home
<bb> thing is i gotta work soon, dont fuck with the site again please, you made the 
  point, and i would like to hear more about how you did it
No such nick/channel
<m101> back...
<bb> hey man
<m101> hey
<bb>  >> thing is i gotta work soon, dont fuck with the site again please, you made the 
  point, and i would like to hear more about how you did it
<m101> i told you i wouldnt
<bb> so, which script is vulnerable?
<bb> and dont say all ;-)
<m101> can i just state, i aint one of the lame fucked up script kiddies who would 
  deface your site at the first chance he could
<m101> unfortunately most of your site is vulnerable =/
<m101> well atleast to diferent forms of attacks
<bb> yeahm, i can see your not a lamer
<bb> so, obviously im keen to try and patch the site where posisble
<bb> at least from the exact same attack u just did
<m101> sorry
<m101> dc
<bb> yeahm, i can see your not a lamer
<bb> so, obviously im keen to try and patch the site where posisble
<bb> at least from the exact same attack u just did
<m101> two things, dont release the exploit, sorry to be a hard ass about it, but i 
  know 9600 sites on google that are vulnerable to it
<bb> k
<m101> i dont want them to be hacked by lamers
<m101> also, in preference, could ya leave me with some form of admin account
<bb> no, admin accounts are for osi staff members, 
<bb> unless u wanna be in osi, then that would be impossible
<m101> you want a new less active staff member then ;)
<bb> lol
<bb> i dont want to be blackmailed into that position thats all
<bb> staff members who are admins work hard for osi
<m101> nah, no blackmail
<m101> its worth an ask anyway ;)
<bb> well
<bb> i like your style
<bb> but i dont know ya
<bb> your not a ca member im familiar with
<bb> and i havent seen you at osi before
<m101> ofcourse not
<m101> i like to be a rogue
<bb> k
<bb> but you have no interest in open source development?
<m101> ofcourse i do
<m101> im working on three projects atm
<m101> and two are idle
<bb> aah well thats different then ;-)
* bb thought u were just a mercenary hacker ;-)
<m101> lol
<m101> anyway, you want to know which sections are vulnerable to this kinda exploit?
<bb> go ahread
<m101> your polls are vuln to any partial admin
<m101> story vuln to anyone, but easily fixed
<m101> memberlist also vuln to everyone, not as easy to fix, but still pretty easy
<m101> the fact you are using phpnuke creates some issues as cookies are easy to come by
<m101> postnuke has a nicer form for cookies
<m101> recent articles are vuln
<m101> i havent looked, but i believe the forums may possibly be vuln depending on how 
  you have them setup
<m101> the approach i took was somewhere inbetween the lot
<m101> a bit of a mix
<bb> and you chose us why?
<m101> and hell more advanced code than an average attacker would take to get the same 
  result
<m101> oh, thats easy
<m101> i came into #cyberarmy
<m101> and basically they said people were trying to hack ca as a whole
<m101> and i said, couldnt be that hard
<m101> and they started insulting me etc...
<m101> calling me lame
<m101> so i said that i would hack a division of ca within thirty minutes
<m101> you just happened to be the nicest looking site
<m101> sorry if i have caused any inconvenience
<bb> aah k
<bb> no not at all
<bb> like most of these attacks
<bb> they are eyeopeners
<m101> ca doesnt get hacked much at all
<m101> very rarely
<bb> well its not a phpnuke site
<m101> oh, i could go for ca if i wanted
<bb> do it man ;-)
<m101> i bet i could get it with enough time
<bb> sure
<bb> nothings impossible right
<m101> ofcourse not
<bb> and for fixing 
<bb> just better parsing of input?
<m101> not quite
<m101> your in a hole with phpnuke unfortunately
<m101> its got too many modules to fix
<bb> yeah
<bb> we are migrating to postnuke
<bb> but its a real pain
<m101> like zzine?
<bb> dunno
<m101> could you change it to 15 minutes, as 10 minutes is well... not truthful
<bb> cmon > gimme some pointers for patching the site
<m101> filter all html out of anything at alll
<m101> anything and everything
<m101> i looked at your admin list
<m101> only have one admin
<m101> the rest user style admins
<bb> but that didnt affect your hack thought right?
<m101> nope
<m101> but if i didnt take the same approach, it would have
<bb> k
<m101> if i was to, for example do cookie stealing, then it would majorly
<m101> my recommendation is to not even have your own account super user
<m101> only log in as god when you really need to
<m101> partial admins could still exploit your site for god as it is, but with a whole 
  load of effort
<m101> but atm they could just take the db, crack it and they have your pass
<m101> any other questions?
<bb> thanks for your time btw
<m101> np
<m101> dont worry, im honourable, i wont give out my pass or add people
<m101> i wouldnt get anywhere if i shafted everyone i came across
<bb> my pass?
<bb> i dont believe you have any passes
<m101> if you added me that is
<bb> aah k
<bb> yeah i can see your honourable ;-)
<m101> you should meet this guy im tutoring, as dishonourable as shit, took him ages to 
  get anywhere ;)
<bb> lol
<bb> u tried our programming challenges?
<m101> no chance, im very busy these days
<bb> lol
<m101> ill do them when i get a chance
<m101> it took me around six months to find enough time to finish arcanum =/
<m101> some of them require more than two minutes thought
<bb> aah im on 5
<bb> 5 programming left
<bb> the trianlge of numbers
<bb> <{Dark^Wolf}> 
<bb> ?
<m101> i aint at home
<m101> friends place
<bb> ok
<bb> well i gotta go work
<bb> we will come up with a plan of action to try and mimize risk
<m101> have fun, talk some other time
<bb> perhaps i run it past you when your around
<m101> will do
<bb> k and thanks again
<bb> for the reality check
<m101> no prob at all
End of m101 buffer    Tue Sep 17 10:18:34 2002