History : how injections were prevented by NukeSentinel add-on for PHPNuke



  • 10 years ago, full-featured « portals » as we called them, were all the craze. PHPNuke was something easy to install on the many free php hostings that were available. At the time it was released, I even think this was the first freely available portal with so much features. But it had a price: unprofessional code, unstable, unmaintainable, insecure. If you want to know why security issues happened so widely, have a look at the sources of phpnuke, you'll know why you need to separate html, styles, sql, php code and javascript.

    About every possible injection was possible : search engine, contact form, forged cookies, you name it. This was so impossible to maintain that other guys figured they should just add a layer on top of it, covering all the cases. That was the purpose of NukeSentinel, which is huge ( 21338 lines of code ), and which looks like someone is trying to put off the fires from a nuclear explosion by bringing buckets of water one by one.

    A direct link to the sources was not so easy to find but here's a fork I found : https://trac.assembla.com/evoturkish/browser/html/includes/nukesentinel.php?rev=1

    Look at line 30 and then see how that REGEX_UNION constant is used. The thing is, that's one of the few part of the code that is actually more or less readable.

    I found an archive of one of the versions here : http://ftp.heanet.ie/mirrors/sourceforge/n/nu/nukescripts/NukeSentinel(tm)/version%202.5.1X/NukeSentinel_2518_Up.tgz ( notice it's only nukesentinel, the security add-on, not phpnuke by itself ). You'll also see amazing stuff like how menu are displayed and handled, in a html-in-strings-in-php-in-html tag soup way, along with copy pasta everywhere.

    The most painful conclusion is to imagine how much work it actually needed.



  • Things have evolved. Since then DotNetNuke has been released, first written in VB then somehow branched in C# (not sure what is the current state). Can't wait to see WinrtNuke.



  • Oh God, PHPNuke.

    Those were my first walking attempts at programming - and I promptly managed to write a guestbook module for that thing which I even published.

    I promptly got my ass handed to me through SQL injections (which I did not catch). Though I also included the most hilarious misconceptions of all:

    For the primary key I used a TinyInt. Yeah, you read that right: I thought of "saving disk space" and thusly tried to get everything as small as possible. The thought of what might happen if the post counter of said guestbook hit 255 didn't even cross my mind. Until it did, of course.

    The biggest WTF, however, remained the fact that my module remained the sole source of a guestbook module on that site for nearly two years.



  • So instead of adding slashes where needed, they go through each individual possible request variable and check for different kinds of strings such as "=union ".

    They're not putting out a nuclear fire with tiny buckets. They're putting it out by writing a list of specific things it's not allowed to burn.



  • Back in the day I used to write godawful non-OO PHP4 code which I later had to maintain.

    Now, like Will Rogers once said, there are three kinds of men: 
    The ones that learn by reading. 
    The few who learn by observation. 
    The rest of them have to touch an electric fence.

     

    I pretty much wrapped that fence wire around my privates.



  • @DOA said:

    Back in the day I used to write godawful non-OO PHP4 code which I later had to maintain.

    Now, like Will Rogers once said, there are three kinds of men: 
    The ones that learn by reading. 
    The few who learn by observation. 
    The rest of them have to touch an electric fence.

     

    I pretty much wrapped that fence wire around my privates.


    And then there are scientists, who after touching the electric fence say "I wonder if that happens every time..."



  • @GoatRider said:

    @DOA said:

    Back in the day I used to write godawful non-OO PHP4 code which I later had to maintain.

    Now, like Will Rogers once said, there are three kinds of men: 
    The ones that learn by reading. 
    The few who learn by observation. 
    The rest of them have to touch an electric fence.

     

    I pretty much wrapped that fence wire around my privates.

    And then there are scientists, who after touching the electric fence say "I wonder if that happens every time..."
    Don't leave out the statisticians who have to do it 1000 times before determining that getting electrocuted is not just chance.


  • @C-Octothorpe said:

    Don't leave out the statisticians who have to do it 1000 times before determining that getting electrocuted is not just chance.
     

    Our p-value

    OUCH

    isn't

    ARGH

    low

    EAGH

    enough

    OOW



  • @dhromed said:

    ARGH

    low

    EAGH

    enough

    OOW

     

    You fail the interview for snoofle's new coder replacement.

     



  •  I keep coming back.



  • @dhromed said:

    I keep coming back.

    Which part of your body are you using to touch the electric fence?



  • Is there any part I shouldn't be using?



  • @dhromed said:

    Is there any part I shouldn't be using?

    All of them, I should think. But you seem to have an abnormal reaction. NTTAWWTIYKWIMAITYD.



  • @Rhywden said:

    For the primary key I used a TinyInt. Yeah, you read that right: I thought of "saving disk space" and thusly tried to get everything as small as possible. The thought of what might happen if the post counter of said guestbook hit 255 didn't even cross my mind. Until it did, of course.

    If you're not gonna have more than 255 guestbook entries, maybe PHPNuke is too much horsepower - how about PHPGrenade? :D


  • Discourse touched me in a no-no place

    @ekolis said:

    If you're not gonna have more than 255 guestbook entries, maybe PHPNuke is too much horsepower - how about PHPGrenade? :D
    PHPSquib would be more appropriate - PHPGrenade is more suitable for 256-65,535 entries.



  • @boomzilla said:

    @dhromed said:
    Is there any part I shouldn't be using?

    All of them,

     

    oopsie



  • @dhromed said:

    oopsie
     

    He's just jealous you're using your parts and not his.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.