|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 323 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
|
 MikeMiles, a support staffer at Nuke Cops reported a new XSS exploit against PHP-Nuke and here is the patch that gets placed into the mainfile.php around line 674.
Find the following lines:
$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^" >]*)[[:space:]]*\"?[^>]*>",
'<a href="1">', $str); # "
// Delete all attribs from Anchor, except an href, double quoted.
$str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", '', $str);
// Delete all img tags
And place the following lines after:
$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?javascript[[:punct:]]*\"?[^>]*>", '', $str);
// Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com
This will prevent XSS javascript code. This is a common exploit that the patch guards against which could potentially steal the admin's cookie data.
|
|
Posted on Sunday, August 24 @ 22:36:15 CEST by Zhen-Xjell |
|
|
|
|
| |
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: XSS Patch Released (Score: 1)
by sting on Sunday, August 24 @ 22:58:09 CEST
(User Info | Send a Message) http://www.nukehaven.net | Get an error:
Parse error: parse error in /home/mysite/public_html/mainfile.php on line 648
Fatal error: Call to a member function on a non-object in /home/mysite/public_html/index.php on line 18
What am I missing?
Thanks,
-sting |
Re: XSS Patch Released (Score: 1)
by Zhen-Xjell on Sunday, August 24 @ 23:08:48 CEST
(User Info | Send a Message) http://castlecops.com | | Make sure you added it correctly without touching the other code or having formatting issues. I'm going to commit mainfile.php from the beta site into the CVS in the next minute or two so you can compare there as well. |
]
]
Re: XSS Patch Released (Score: 1)
by sting on Sunday, August 24 @ 23:18:25 CEST
(User Info | Send a Message) http://www.nukehaven.net | Made sure they were identical. I get the same error on two sites. Going to keep looking at it. Wonder if I missed something in the copy/paste and the 1600x 1200 resolution.
|
]
Re: XSS Patch Released (Score: 1)
by Zhen-Xjell on Sunday, August 24 @ 23:20:28 CEST
(User Info | Send a Message) http://castlecops.com | | How about replacing it with our mainfile.php? Watch out for the include of navtap.php. If you aren't using navtap, just comment that line out. |
]
Re: XSS Patch Released (Score: 1)
by sting on Sunday, August 24 @ 23:21:40 CEST
(User Info | Send a Message) http://www.nukehaven.net | | Got another person with the error - I am wondering if there is something that is supposed to be installed elsewhere that I don't have on my site. |
]
]
]
How do you provoke the error?? (Score: 1)
by Jenses on Monday, August 25 @ 15:16:14 CEST
(User Info | Send a Message) http://visayas.dk | How do you prowoke that error.
I tried the fix as stated and havent seen any problems yet.
My environment is IIS5 with an oudated php and phpnuke 6.9 (its my test environment on my pc at home).
|
]
| | | | |
Re: XSS Patch Released (Score: 1)
by nopeace4u on Sunday, August 24 @ 23:22:26 CEST
(User Info | Send a Message) http://www.webhostgem.com | Have same problem -- http://test.clan-njk.com
Parse error: parse error in /home/clannjk/public_html/test/mainfile.php on line 683
Fatal error: Call to a member function on a non-object in /home/clannjk/public_html/test/index.php on line 18
|
]
Re: XSS Patch Released (Score: 1)
by xfsunolesphp on Monday, August 25 @ 21:36:49 CEST
(User Info | Send a Message) http://www.xfsunoles.com | $str = eregi_replace("]*href[[:space:]]*=[[:space:]]*."?javascript[[:punct:]]*."?[^>]*>", '', $str);
// Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com
Please remove period on coding in mainfile.php |
]
| | | | |
Re: XSS Patch Released (Score: 1)
by Zhen-Xjell on Sunday, August 24 @ 23:31:39 CEST
(User Info | Send a Message) http://castlecops.com | Please Note:
This patch was tested on several PHP-Nuke sites including 5.x and 6.x releases with 100% success rate.
I don't know why folks are having issues, but lets try to resolve them immediately. |
Re: XSS Patch Released (Score: 1)
by sting on Sunday, August 24 @ 23:35:58 CEST
(User Info | Send a Message) http://www.nukehaven.net | The newer mainfile worked on both sites - not sure why the original didn't but I still have a copy.
One thought - could we have the support staff on IM? I have a few of them on here but some of us who do not have the IM fields filled out are unreachable in real time... ;)
-sting
|
]
| | | | |
Re: XSS Patch Released (Score: 1)
by Feret on Sunday, August 24 @ 23:44:28 CEST
(User Info | Send a Message) http://www.sunandshadows.com | getting this error:
Parse error: parse error in /home/sunandsh/public_html/mainfile.php on line 656
Fatal error: Call to a member function on a non-object in /home/sunandsh/public_html/modules.php on line 22
here is the code around it
[code] // Delete all spaces from html tags .
$str = eregi_replace("]*href[[:space:]]*=[[:space:]]*"?[[:space:]]*([^" >]*)[[:space:]]*"?[^>]*>",
'', $str); # "
// Delete all attribs from Anchor, except an href, double quoted.
$str = eregi_replace("]*)[[:space:]]*>", '', $str);
// Delete all img tags
$str = eregi_replace("]*href[[:space:]]*=[[:space:]]*"?javascript[[:punct:]]*"?[^>]*>", '', $str);
// Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com
$tmp = "";
while (ereg("]*)>",$str,$reg)) {
[/code] |
Re: XSS Patch Released (Score: 1)
by Feret on Sunday, August 24 @ 23:47:04 CEST
(User Info | Send a Message) http://www.sunandshadows.com | I traced this error down in modules.php and its this line.
$result = $db->sql_query($sql);
i hate to jump the gun but could this be mysql4 related? |
]
Re: XSS Patch Released (Score: 1)
by Zhen-Xjell on Sunday, August 24 @ 23:50:02 CEST
(User Info | Send a Message) http://castlecops.com | | Hi, for some reason some folks are not correctly pasting in the code. So the best thing to do is download our mainfile.php from http://cvs.nukecops.com. Backup your old one first. If you read the comments above, others had the same issue, but the CVS version works. I've installed this on 5.x and 6.x websites with 100% success. My other staff did same with no problems. |
]
| | | | |
re: THE FIX (Score: 1)
by Evaders99 on Monday, August 25 @ 00:37:36 CEST
(User Info | Send a Message) http://www.swrebellion.com | Or not.. sorry, it seems that its stripping code it isn't supposed to.
Definitely copy this line from the CVS and it will work. |
]
]
]
re: THE FIX (Score: 1)
by smotrs on Monday, August 25 @ 16:20:23 CEST
(User Info | Send a Message) | But you'll notice that in the article, the slashes are after the quotes, rather then before the quotes. For example,
the article shows this "\
whereas it should be \" |
]
| | | | |
Re: XSS Patch Released (Score: 1)
by Zhen-Xjell on Monday, August 25 @ 12:39:40 CEST
(User Info | Send a Message) http://castlecops.com | Hi the article does in fact have the right code. It was missing slashes last night, but it was corrected earlier today.
Thanks |
]
Re: XSS Patch Released (Score: 1)
by jeffreym on Monday, August 25 @ 18:05:37 CEST
(User Info | Send a Message) | Not working with v6.9. I get the same parce errors and line 18 problem on all my installations. Here's what I'm inserting:
$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*"\?javascript[[:punct:]]*"\?[^>]*>", '', $str);
// Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com |
]
Re: XSS Patch Released (Score: 1)
by chatserv on Monday, August 25 @ 19:10:19 CEST
(User Info | Send a Message) http://nukeresources.com | | As stated elsewhere in the comments the backslash () is incorrectly placed after the double quotes ("), it should be the other way around. |
]
| | | | |
Re: XSS Patch Released (Score: 1)
by Panama on Tuesday, August 26 @ 00:07:42 CEST
(User Info | Send a Message) | I added the code - but then the security image stopped displaying when I tried to log in as admin.
Then I took the patch back out - and the security code will still not display! Help!
|
Re: XSS Patch Released (Score: 1)
by Panama on Tuesday, August 26 @ 01:10:48 CEST
(User Info | Send a Message) | Never mind - I had a blank line at the end of the file, that caused the problem.
I guess using the edit in Cpanel is not the right way to do this.
|
]
| | | | | |
