|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 156 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Admin Tap XSS Version 3 Patch |
|
 I'm incorporating some of my previous XSS patches into one known now as Admin Tap. The most current is talked about here Version three allows admins to make use to the admin block links from outside the admin CP. Simply install this into your admin.php after the opening PHP tag.
//Admin Tap
//Security XSS Prevention by Zhen-Xjell @ http://NukeCops.com
//Nuke Cops: Official PHP-Nuke Development Team
//Version 3: 26 Apr 2004
//Unsets used to help sites with register_globals on.
unset($refer);
unset($argv);
unset($checkurl);
//Variable assignments
$refer = $_SERVER['HTTP_REFERER'];
$argv = $_SERVER['argv'];
$checkurl = $_SERVER['REQUEST_URI'];
//Check how admin.php applications are accessed.
//Used to prevent XSS hacks like those found in the bbcode IMG tags.
// http://nukecops.com/article1797.html
if ($argv[0] != "") {
if (!preg_match("/op=gfx/", "$argv[0]")) {
if (!preg_match("/op=submission/", "$argv[0]") && !preg_match("/op=downloads/", "$argv[0]")) {
if (!preg_match("/admin.php/", "$refer")) {
echo "<BR>$refer<BR><a href=\"http://nukecops.com\">Nuke Cops Slaps You Silly</a>";
exit;
}
}
}
}
// http://www.nukecops.com/article-1793--0-0.html
// http://www.nukecops.com/article810.html
//Some of these are more redundant at this point than anything else.
if (preg_match("/?admin/", "$checkurl")) {
echo "<a href=\"http://nukecops.com\">Nuke Cops Slaps You Silly</a>";
exit;
}
if (preg_match("/AddAuthor/", "$checkurl")) {
echo "<a href=\"http://nukecops.com\">Nuke Cops Slaps You Silly</a>";
exit;
}
if (preg_match("/UpdateAuthor/", "$checkurl")) {
echo "<a href=\"http://nukecops.com\">Nuke Cops Slaps You Silly</a>";
exit;
}
|
|
Posted on Monday, April 26 @ 22:00:16 CEST by Zhen-Xjell |
|
|
|
|
| |
|
Average Score: 5
Votes: 1
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by genoxide on Monday, April 26 @ 22:15:51 CEST
(User Info | Send a Message) http://www.projectxero.org | If someone fakes the reference is it possible he can get in?
exp, what if i fake that i came from www.nukecops.com/admin.php? |
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by Zhen-Xjell on Monday, April 26 @ 22:17:57 CEST
(User Info | Send a Message) http://castlecops.com | | The problem here is the actual admin being faked and not anyone else. Its links that exist in IMG tags, etc, that can cause an authentic admin to break his own site. These patch that from occuring. |
]
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by genoxide on Monday, April 26 @ 22:43:18 CEST
(User Info | Send a Message) http://www.projectxero.org | i get some errors,
Warning: Compilation failed: nothing to repeat at offset 0 in /home/name/public_html/admin.php on line 51
Warning: Cannot modify header information - headers already sent by (output started at /home/name/public_html/admin.php:51) in /home/name/public_html/includes/blocker.php on line 425
on line 51 i have if (preg_match("/?admin/", "$checkurl")) {
|
]
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by Adis on Monday, April 26 @ 23:04:43 CEST
(User Info | Send a Message) | I get only this: Warning: Compilation failed: nothing to repeat at offset 0 in /home/name/public_html/admin.php on line 55
|
]
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by genoxide on Tuesday, April 27 @ 05:56:22 CEST
(User Info | Send a Message) http://www.projectxero.org | yeah, thats what i get, but i have the protector so i get another warning about headers
i also get the red X in the security code |
]
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by Zhen-Xjell on Tuesday, April 27 @ 06:46:18 CEST
(User Info | Send a Message) http://castlecops.com | | That's the first time I've heard of those errors... This has been released before and I've never seen reports of errors. What happens if you temporarily disable Protector? |
]
]
]
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by Zhen-Xjell on Tuesday, April 27 @ 09:39:34 CEST
(User Info | Send a Message) http://castlecops.com | | Odd, until this news article, there have not been reports of this stuff. I'm not even having issues on my sites. How to track down? |
]
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by dmolavi on Tuesday, April 27 @ 10:02:05 CEST
(User Info | Send a Message) http://www.nukedgallery.net | | not sure...don't know why the regex is causing issues with compilation (maybe a Zend optimizer thing? i have 2.5.1 running), nor why the admin can't be logged out. |
]
| | | | |
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by foxyfemfem on Tuesday, April 27 @ 06:35:11 CEST
(User Info | Send a Message) | Hello,
For those who have register_globals on can't they add something like this to their .htaccess file?.....
php_flag register_globals off |
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by Zhen-Xjell on Tuesday, April 27 @ 06:46:50 CEST
(User Info | Send a Message) http://castlecops.com | | One could do that, but not all installations will support register_globals off in PHP-Nuke. |
]
| | | | |
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by dmolavi on Tuesday, April 27 @ 08:03:52 CEST
(User Info | Send a Message) http://www.nukedgallery.net | | using the admin block on my site, i still get the "NukeCops slaps you silly" page when trying to access the admin page from any other page besides the admin CP. |
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by Zhen-Xjell on Tuesday, April 27 @ 08:39:44 CEST
(User Info | Send a Message) http://castlecops.com | | The only links that work from the admin block currently under this patch is the submissions and downloads. |
]
| | | | |
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by Mouldy_punk on Sunday, May 16 @ 08:23:27 CEST
(User Info | Send a Message) http://www.mouldypunk.com | I get this error messege
Warning: Compilation failed: nothing to repeat at offset 0 in /hsphere/local/home/gtauknet/gtaisland.gta-shack.com/admin.php on line 46
But I can still use the admin panel but it says that above the header. |
]
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by Mouldy_punk on Sunday, May 16 @ 09:04:17 CEST
(User Info | Send a Message) http://www.mouldypunk.com | | sorry, the slash didn't show in the last comment for some reason...any way, it was a slash that was missing |
]
| | | | |
Re: Admin Tap XSS Version 3 Patch (Score: 1)
by jeffulri on Monday, May 17 @ 10:54:10 CEST
(User Info | Send a Message) | | I assume that this is redundant if you're running PHP-Nuke 7.3? |
| | | | | |
