|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 165 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
|
 BEWARE. There is a new cross site browser scripting exploit where authentic PHP-Nuke admins may inadvertantly create new authors, remove authors, and basically do any admin.php functions without their knowledge!
I created a quick patch to watch over this activity. In your admin.php, find my previous admin.php patch:
if (preg_match("/?admin/", "$checkurl")) {
echo "die";
exit;
}
Add this before it:
//Security XSS Prevention by Zhen-Xjell 22 Mar 2004 NukeCops.com Copyright All Rights Reserved
$refer = $_SERVER['HTTP_REFERER'];
$argv = $_SERVER['argv'];
if ($argv[0] != "") {
if (!preg_match("/admin.php/", "$refer")) {
echo "<BR>$refer<BR>die";
exit;
}
}
And after it add this:
// Addition by Zhen-Xjell NukeCops.com Mar 22 2004 Copyright All Rights Reserved
if (preg_match("/AddAuthor/", "$checkurl")) {
echo "die";
exit;
}
if (preg_match("/UpdateAuthor/", "$checkurl")) {
echo "die";
exit;
}
|
|
Posted on Monday, March 22 @ 16:29:14 CET by Zhen-Xjell |
|
|
|
|
| |
|
Average Score: 3.33
Votes: 12
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Admin Exploit - XSS Type (Score: 1)
by Zhen-Xjell on Monday, March 22 @ 16:31:44 CET
(User Info | Send a Message) http://castlecops.com | | Of course this means admin.php needs to be 'enhanced' which I'll begin work on right away. |
| | | | |
Re: Admin Exploit - XSS Type (Score: 1)
by djmaze on Monday, March 22 @ 16:52:28 CET
(User Info | Send a Message) http://www.cpgnuke.com | This fix will totally block people from accessing their admin area when using Opera, proxies or firewalls that don't send the HTTP_REFERER to the server.
I strongly advice the modify the buggy file in question.
"admin/modules/authors.php"
case "UpdateAuthor":
if ($_POST['op'] != 'UpdateAuthor') exit;
|
Re: Admin Exploit - XSS Type (Score: 1)
by Zhen-Xjell on Monday, March 22 @ 16:58:28 CET
(User Info | Send a Message) http://castlecops.com | Your suggestion doesn't answer the code I have seen that effectively allows admins to be created. And as stated this is a patch until admin.php can be 'enhanced'.
As for accessing admin.php, you are right, unless the referer is passed, then access is cut off. So I highly recommend you use something that passes it. |
]
Re: Admin Exploit - XSS Type (Score: 1)
by Zhen-Xjell on Monday, March 22 @ 17:00:30 CET
(User Info | Send a Message) http://castlecops.com | | In layman's terms... your suggestion doesn't work against all the XSS exploits for admin.php. |
]
]
Re: Admin Exploit - XSS Type (Score: 1)
by IACOJ on Monday, March 22 @ 17:41:21 CET
(User Info | Send a Message) | | HTTP_REFERER is a value passed by the user browser. |
]
]
Re: Admin Exploit - XSS Type (Score: 1)
by Zhen-Xjell on Monday, March 22 @ 17:05:36 CET
(User Info | Send a Message) http://castlecops.com | | Taking a look at the patch again, that means if any of the ops are used outside of 'updateauthor' then it doesn't work. That will effectively break the use of edit authors for authentic admins on the site. |
]
| | | | |
Re: Admin Exploit - XSS Type (Score: 0, Flamebait)
by inkydink1234 on Monday, March 22 @ 17:35:36 CET
(User Info | Send a Message) | wtf is this!!
// Addition by Zhen-Xjell NukeCops.com Mar 22 2004 Copyright All Rights Reserved
COPYRIGHT ?!? You've got to be kidding!! You cannot copyright simple php code like this. When are you going to come down off this ego trip of yours and get real? BTW, in case you haven't noticed, this is GPL. You really need to check out what the definition of intellectual property is ZX because a few lines of PHP code does not qualify. You really have gone off your nut here. In simple layman's terms, your copyright doesn't work. |
Re: Admin Exploit - XSS Type (Score: 1)
by IACOJ on Monday, March 22 @ 17:40:33 CET
(User Info | Send a Message) | http://www.gnu.org/licenses/gpl-faq.html#RequiredToClaimCopyright
http://www.copyright.gov/circs/circ1.html#wccc |
]
Re: Admin Exploit - XSS Type (Score: 1)
by TrevorE on Monday, March 22 @ 17:56:28 CET
(User Info | Send a Message) | Could you have come up with that patch?
I think ZX deserves credit for the work that he did in making this patch! |
]
Re: Admin Exploit - XSS Type (Score: 1)
by Tank863 on Monday, March 22 @ 20:16:49 CET
(User Info | Send a Message) http://tankweb.net | ZX, once again thank you.
I know that I could not have come out with the patch.
My point of view.. whoever comes out with a pacth gets the credit. No questions asked.
I could care less about someone's ego trip or whatever.. as long as my site is secured as best as possible.
If I could make up the patches... I wuld probably have an ego also.. but I can't right now.. |
]
| | | | |
Re: Admin Exploit - XSS Type (Score: 1)
by ras on Tuesday, March 23 @ 00:38:57 CET
(User Info | Send a Message) | | Can I get admin.php after necessory corrections?. Becuse I haven't the previous patch. |
| | | | |
Re: Admin Exploit - XSS Type (Score: 1)
by Sp4c3J4m on Tuesday, March 23 @ 01:04:45 CET
(User Info | Send a Message) http://www.fromspace.com.br | English : I consider CONSTRUCTIVE, to make ALL this considerations HERE, in the ORIGINAL FORUM POST [url]http://www.nukecops.com/postt25444.html[/url]
Portuguese : Considero mais CONSTRUTIVO fazer os comentários no POST original no FORUM [url]http://www.nukecops.com/postt25444.html[/url] |
| | | | |
Re: Admin Exploit - XSS Type (Score: 1)
by J-Claude on Tuesday, March 23 @ 03:15:46 CET
(User Info | Send a Message) http://www.phpnuke-europe.org | Hello Zhen admin.php patched look like this now.
[CODE]
$checkurl = $_SERVER['REQUEST_URI'];
//Security XSS Prevention by Zhen-Xjell 22 Mar 2004 NukeCops.com Copyright All Rights Reserved
$refer = $_SERVER['HTTP_REFERER'];
$argv = $_SERVER['argv'];
if ($argv[0] != "") {
if (!preg_match("/admin.php/", "$refer")) {
echo "
$refer
die";
exit;
}
}
if (preg_match("/?admin/", "$checkurl")) {
echo "die";
exit;
}
// Addition by Zhen-Xjell NukeCops.com Mar 22 2004 Copyright All Rights Reserved
if (preg_match("/AddAuthor/", "$checkurl")) {
echo "die";
exit;
}
if (preg_match("/UpdateAuthor/", "$checkurl")) {
echo "die";
exit;
}
require_once("mainfile.php");
get_lang(admin);
[/CODE]
part of my friends have this error now:
Warning: Compilation failed: nothing to repeat at offset 0 in /home/hosts/NAMEOFSITE/www/admin.php on line 26
an idea ?
best regards |
]
Re: Admin Exploit - XSS Type (Score: 1)
by ninjaf4 on Friday, March 26 @ 10:35:51 CET
(User Info | Send a Message) | yes you got two instances of this part
if (preg_match("/?admin/", "$checkurl")) {
echo "die";
exit;
}
remove the 1st instance and all should be good |
]
| | | | |
Re: Admin Exploit - XSS Type (Score: 1)
by USGroup1 on Tuesday, March 23 @ 09:58:15 CET
(User Info | Send a Message) | | after applying this patch adminstrator block in main page (referer : index.php) doesn't work. |
]
Re: Admin Exploit - XSS Type (Score: 1)
by Zhen-Xjell on Tuesday, March 23 @ 11:12:37 CET
(User Info | Send a Message) http://castlecops.com | They don't work because you aren't in admin.php. Like djmaze stated, these complications will not exist if you do not implement my patch. But then if you don't implement the patch, you open yourself up to a big big hole. You can choose.
And as stated, this is a patch. Not a final fix. |
]
| | | | |
Re: Admin Exploit - XSS Type (Score: 1)
by ninjaf4 on Friday, March 26 @ 10:32:08 CET
(User Info | Send a Message) | tried it on my site with the new code v2 i think
which the image shows but no image shows ?? |
| | | | |
Re: Admin Exploit - XSS Type (Score: 1)
by ninjaf4 on Friday, March 26 @ 11:12:39 CET
(User Info | Send a Message) | ok 1 more thing now everytime i clcik a link in the admin panal it says nukecops loves ya :)
so i went back to the old admin file BUT added these lines to the top
$ip = getenv("REMOTE_ADDR");
if ($ip != "MY-IP-HERE" AND $ip != "MY-IP-HERE") {
echo "";
}
this i belive will stop any one gaining access to my admin panel it will also log any one trying to go to the admin.php file that dosnt have my ip which is everyone cept me :) i did the same to the authors page just in case
any feedback on this please |
| | | | |
Re: Admin Exploit - XSS Type (Score: 1)
by Kilim on Friday, March 26 @ 20:11:40 CET
(User Info | Send a Message) | | Where can I find the previous admin.php patch? |
Re: Admin Exploit - XSS Type (Score: 1)
by Kiblet on Friday, April 02 @ 14:33:30 CEST
(User Info | Send a Message) | It's in this thread here, posted by Chatserv:
http://nukecops.com/postitle25444-0-0-stristr+server+querystring.html
Kiblet |
]
| | | | |
Re: Admin Exploit - XSS Type (Score: 1)
by Kiblet on Friday, April 02 @ 16:37:07 CEST
(User Info | Send a Message) | I just downloaded the PHPNuke 2.3 patch for 7.0, which just came out today. I installed everything.
I'm concerned that I may have un-done previous patches, including this one. It's the same author, but my admin.php patched section doesn't resemble this anymore.
Do I need to apply this patch again?
Thanks,
Kiblet |
| | | | | |
