You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 307 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Admin Exploit - XSS Type
SecurityBEWARE. There is a new cross site browser scripting exploit where authentic PHP-Nuke admins may inadvertantly create new authors, remove authors, and basically do any admin.php functions without their knowledge!

I created a quick patch to watch over this activity. In your admin.php, find my previous admin.php patch:


if (preg_match("/?admin/", "$checkurl")) {
echo "die";
exit;
}



Add this before it:


//Security XSS Prevention by Zhen-Xjell 22 Mar 2004 NukeCops.com Copyright All Rights Reserved
$refer = $_SERVER['HTTP_REFERER'];

$argv = $_SERVER['argv'];

if ($argv[0] != "") {
if (!preg_match("/admin.php/", "$refer")) {
echo "<BR>$refer<BR>die";
exit;
}
}




And after it add this:


// Addition by Zhen-Xjell NukeCops.com Mar 22 2004 Copyright All Rights Reserved
if (preg_match("/AddAuthor/", "$checkurl")) {
echo "die";
exit;
}
if (preg_match("/UpdateAuthor/", "$checkurl")) {
echo "die";
exit;
}

Posted on Monday, March 22 @ 16:29:14 CET by Zhen-Xjell
 
Related Links
· Computer Cops
· More about Security
· News by Zhen-Xjell


Most read story about Security:
PHP-Nuke admin.php security hole - PATCHED

Article Rating
Average Score: 3.33
Votes: 12


Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad


Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend

Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: Admin Exploit - XSS Type (Score: 1)
by Zhen-Xjell on Monday, March 22 @ 16:31:44 CET
(User Info | Send a Message) http://castlecops.com
Of course this means admin.php needs to be 'enhanced' which I'll begin work on right away.



Re: Admin Exploit - XSS Type (Score: 1)
by djmaze on Monday, March 22 @ 16:52:28 CET
(User Info | Send a Message) http://www.cpgnuke.com
This fix will totally block people from accessing their admin area when using Opera, proxies or firewalls that don't send the HTTP_REFERER to the server.

I strongly advice the modify the buggy file in question.
"admin/modules/authors.php"

case "UpdateAuthor":
if ($_POST['op'] != 'UpdateAuthor') exit;



Re: Admin Exploit - XSS Type (Score: 0, Flamebait)
by inkydink1234 on Monday, March 22 @ 17:35:36 CET
(User Info | Send a Message)
wtf is this!!
// Addition by Zhen-Xjell NukeCops.com Mar 22 2004 Copyright All Rights Reserved

COPYRIGHT ?!? You've got to be kidding!! You cannot copyright simple php code like this. When are you going to come down off this ego trip of yours and get real? BTW, in case you haven't noticed, this is GPL. You really need to check out what the definition of intellectual property is ZX because a few lines of PHP code does not qualify. You really have gone off your nut here. In simple layman's terms, your copyright doesn't work.



Re: Admin Exploit - XSS Type (Score: 1)
by ras on Tuesday, March 23 @ 00:38:57 CET
(User Info | Send a Message)
Can I get admin.php after necessory corrections?. Becuse I haven't the previous patch.



Re: Admin Exploit - XSS Type (Score: 1)
by Sp4c3J4m on Tuesday, March 23 @ 01:04:45 CET
(User Info | Send a Message) http://www.fromspace.com.br
English : I consider CONSTRUCTIVE, to make ALL this considerations HERE, in the ORIGINAL FORUM POST [url]http://www.nukecops.com/postt25444.html[/url]

Portuguese : Considero mais CONSTRUTIVO fazer os comentários no POST original no FORUM [url]http://www.nukecops.com/postt25444.html[/url]



Re: Admin Exploit - XSS Type (Score: 1)
by J-Claude on Tuesday, March 23 @ 03:15:46 CET
(User Info | Send a Message) http://www.phpnuke-europe.org
Hello Zhen admin.php patched look like this now.
[CODE]
$checkurl = $_SERVER['REQUEST_URI'];
//Security XSS Prevention by Zhen-Xjell 22 Mar 2004 NukeCops.com Copyright All Rights Reserved
$refer = $_SERVER['HTTP_REFERER'];

$argv = $_SERVER['argv'];

if ($argv[0] != "") {
if (!preg_match("/admin.php/", "$refer")) {
echo "
$refer
die";
exit;
}
}
if (preg_match("/?admin/", "$checkurl")) {
echo "die";
exit;
}
// Addition by Zhen-Xjell NukeCops.com Mar 22 2004 Copyright All Rights Reserved
if (preg_match("/AddAuthor/", "$checkurl")) {
echo "die";
exit;
}
if (preg_match("/UpdateAuthor/", "$checkurl")) {
echo "die";
exit;
}
require_once("mainfile.php");
get_lang(admin);
[/CODE]

part of my friends have this error now:

Warning: Compilation failed: nothing to repeat at offset 0 in /home/hosts/NAMEOFSITE/www/admin.php on line 26

an idea ?
best regards



Re: Admin Exploit - XSS Type (Score: 1)
by USGroup1 on Tuesday, March 23 @ 09:58:15 CET
(User Info | Send a Message)
after applying this patch adminstrator block in main page (referer : index.php) doesn't work.



Re: Admin Exploit - XSS Type (Score: 1)
by ninjaf4 on Friday, March 26 @ 10:32:08 CET
(User Info | Send a Message)
tried it on my site with the new code v2 i think
which the image shows but no image shows ??



Re: Admin Exploit - XSS Type (Score: 1)
by ninjaf4 on Friday, March 26 @ 11:12:39 CET
(User Info | Send a Message)
ok 1 more thing now everytime i clcik a link in the admin panal it says nukecops loves ya :)

so i went back to the old admin file BUT added these lines to the top

$ip = getenv("REMOTE_ADDR");
if ($ip != "MY-IP-HERE" AND $ip != "MY-IP-HERE") {

echo "";
}

this i belive will stop any one gaining access to my admin panel it will also log any one trying to go to the admin.php file that dosnt have my ip which is everyone cept me :) i did the same to the authors page just in case

any feedback on this please



Re: Admin Exploit - XSS Type (Score: 1)
by Kilim on Friday, March 26 @ 20:11:40 CET
(User Info | Send a Message)
Where can I find the previous admin.php patch?



Re: Admin Exploit - XSS Type (Score: 1)
by Kiblet on Friday, April 02 @ 16:37:07 CEST
(User Info | Send a Message)
I just downloaded the PHPNuke 2.3 patch for 7.0, which just came out today. I installed everything.

I'm concerned that I may have un-done previous patches, including this one. It's the same author, but my admin.php patched section doesn't resemble this anymore.

Do I need to apply this patch again?

Thanks,
Kiblet


Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.037 Seconds - 309 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::