 |
|
 |
|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 590 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Admin.php XSS Patch Revision II |
|
 Yesterday I released a hot off the press admin.php patch. I learned of the exploit only 10 minutes prior to it. Today I found out that the graphic image doesn't show up because of it, so without further adieu, here is version number 2 such that the image works.
if ($argv[0] != "") {
if (!preg_match("/op=gfx/", "$argv[0]")) {
if (!preg_match("/admin.php/", "$refer")) {
echo "Nuke Cops Loves You http://nukecops.com";
exit;
}
}
}
|
|
Posted on Tuesday, March 23 @ 11:10:39 CET by Zhen-Xjell |
|
|
|
|
| |
|
Average Score: 3
Votes: 4
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Admin.php XSS Patch Revision II (Score: 1)
by speedx on Tuesday, March 23 @ 11:57:20 CET
(User Info | Send a Message) | | my graphic still works .. what version does it not work on? im using 6.8 |
| | | | |
Re: Admin.php XSS Patch Revision II (Score: 1)
by ajthejuggalo on Tuesday, March 23 @ 12:15:42 CET
(User Info | Send a Message) http://www.mwjz.com | this patch does kill the protector pop ups for when you click on ip address...
|
| | | | |
Re: Admin.php XSS Patch Revision II (Score: 1)
by Zhen-Xjell on Tuesday, March 23 @ 12:18:35 CET
(User Info | Send a Message) http://castlecops.com | | Well if version 1 works for you, then go with that. If it doesn't use this version 2. As to Protector, I haven't gotten that far. I'd much rather work on a different solution instead of enhancing this patch. Do you need those pop-up windows or can you just browse it all in the same window? |
| | | | |
I don't get the problem... (Score: 1)
by Waldo on Tuesday, March 23 @ 23:50:05 CET
(User Info | Send a Message) | BEWARE. There is a new cross site browser scripting exploit where authentic PHP-Nuke admins may inadvertantly create new authors, remove authors, and basically do any admin.php functions without their knowledge!
This makes no sense to me. Who is the "their" in "without their knowlege"? It sounds to me like nuke admins can do admin functions without their own knowledge?
Or is it saying that this exploit allows admins with limited privilege to override the limitations and do things that they aren't supposed to do-- without the knowlege of the superadmin?
I'm just confused. If i'm the only admin on my site, do I need to worry about this? |
| | | | |
Re: Admin.php XSS Patch Revision II (Score: 1)
by kbgus on Wednesday, March 24 @ 22:05:45 CET
(User Info | Send a Message) http://www.stoneridgehoa.net | This patch breaks the ability to edit messages from the home (i.e. index.php) page. This adds it back:
if ($argv[0] != "") {
if (!preg_match("/op=gfx/", "$argv[0]")) {
if (!preg_match("/admin.php/", "$refer")) {
if (!preg_match("/op=editmsg/", "$argv[0]")) {
echo "Nuke Cops Loves You http://nukecops.com";
exit;
}
}
}
}
|
| | | | |
Re: Admin.php XSS Patch Revision II (Score: 1)
by tecnotronico on Saturday, March 27 @ 14:12:43 CET
(User Info | Send a Message) | Fellows,
I tried this and didn´t allow me to admin the blocks ... it means, I can´t go into:
/admin.php?op=BlocksAdmin
I tried both versions without success .... any idea?? |
| | | | | |
|
