 |
|
 |
|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 376 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Admin.php XSS Patch Revision II |
|
 Yesterday I released a hot off the press admin.php patch. I learned of the exploit only 10 minutes prior to it. Today I found out that the graphic image doesn't show up because of it, so without further adieu, here is version number 2 such that the image works.
if ($argv[0] != "") {
if (!preg_match("/op=gfx/", "$argv[0]")) {
if (!preg_match("/admin.php/", "$refer")) {
echo "Nuke Cops Loves You http://nukecops.com";
exit;
}
}
}
|
|
Posted on Tuesday, March 23 @ 11:10:39 CET by Zhen-Xjell |
|
|
|
|
| |
|
Average Score: 3
Votes: 4
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Admin.php XSS Patch Revision II (Score: 1)
by speedx on Tuesday, March 23 @ 11:57:20 CET
(User Info | Send a Message) | | my graphic still works .. what version does it not work on? im using 6.8 |
| | | | |
Re: Admin.php XSS Patch Revision II (Score: 1)
by ajthejuggalo on Tuesday, March 23 @ 12:15:42 CET
(User Info | Send a Message) http://www.mwjz.com | this patch does kill the protector pop ups for when you click on ip address...
|
| | | | |
Re: Admin.php XSS Patch Revision II (Score: 1)
by Zhen-Xjell on Tuesday, March 23 @ 12:18:35 CET
(User Info | Send a Message) http://castlecops.com | | Well if version 1 works for you, then go with that. If it doesn't use this version 2. As to Protector, I haven't gotten that far. I'd much rather work on a different solution instead of enhancing this patch. Do you need those pop-up windows or can you just browse it all in the same window? |
Re: Admin.php XSS Patch Revision II (Score: 1)
by Tank863 on Tuesday, March 23 @ 18:00:11 CET
(User Info | Send a Message) http://tankweb.net | I was going to comment on the Protector issue also...
With the 1st patch, it does prevent you from checking on an IP, also it prevent you from Protecting a Module.
When I installed the second patch.. this also prevent the same issue.
However.. I am more reclined to see a full fix issued and my site 'secured' as well as can be expected than worry if protector's pop up works.
Protetctor is still working as far as I can tell... just not the popup checking on the IP and Pro-Mod...
|
]
Re: Admin.php XSS Patch Revision II (Score: 1)
by Zhen-Xjell on Tuesday, March 23 @ 21:43:10 CET
(User Info | Send a Message) http://castlecops.com | | The pop-up method is a departure from the standard phpnuke administration routines. It would be better to bring that portion in-line and do away with the javascript to maintain uniformity. |
]
| | | | |
I don't get the problem... (Score: 1)
by Waldo on Tuesday, March 23 @ 23:50:05 CET
(User Info | Send a Message) | BEWARE. There is a new cross site browser scripting exploit where authentic PHP-Nuke admins may inadvertantly create new authors, remove authors, and basically do any admin.php functions without their knowledge!
This makes no sense to me. Who is the "their" in "without their knowlege"? It sounds to me like nuke admins can do admin functions without their own knowledge?
Or is it saying that this exploit allows admins with limited privilege to override the limitations and do things that they aren't supposed to do-- without the knowlege of the superadmin?
I'm just confused. If i'm the only admin on my site, do I need to worry about this? |
| | | | |
Re: Admin.php XSS Patch Revision II (Score: 1)
by kbgus on Wednesday, March 24 @ 22:05:45 CET
(User Info | Send a Message) http://www.stoneridgehoa.net | This patch breaks the ability to edit messages from the home (i.e. index.php) page. This adds it back:
if ($argv[0] != "") {
if (!preg_match("/op=gfx/", "$argv[0]")) {
if (!preg_match("/admin.php/", "$refer")) {
if (!preg_match("/op=editmsg/", "$argv[0]")) {
echo "Nuke Cops Loves You http://nukecops.com";
exit;
}
}
}
}
|
Re: Admin.php XSS Patch Revision II (Score: 1)
by hamesh on Thursday, March 25 @ 01:48:48 CET
(User Info | Send a Message) http://www.belchfire.net | | I still can't edit stories from the article pages, but the URL is op=EditStory&sid=xxxx. I tried adding this to your modified code but no go. Any suggestions? No big. I can still edit articles from the Admin menu... |
]
| | | | |
Re: Admin.php XSS Patch Revision II (Score: 1)
by tecnotronico on Saturday, March 27 @ 14:12:43 CET
(User Info | Send a Message) | Fellows,
I tried this and didn´t allow me to admin the blocks ... it means, I can´t go into:
/admin.php?op=BlocksAdmin
I tried both versions without success .... any idea?? |
Re: Admin.php XSS Patch Revision II (Score: 1)
by tecnotronico on Saturday, March 27 @ 14:14:01 CET
(User Info | Send a Message) | Please note I have Nuke 7.1 with Patch 2.2 ...
Any help!!! |
]
| | | | | |
|
