You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 345 guest(s) and 16 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - admin.php security hole [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
chatserv
General
General


Joined: Jan 12, 2003
Posts: 3128

Location: Puerto Rico

PostPosted: Sun Oct 12, 2003 8:32 pm Reply with quoteBack to top

Correct, the code is exactly the same one ZX created, only the variable changed.

_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
Find all posts by chatservView user's profileSend private messageVisit poster's website
Johan1982
Nuke Soldier
Nuke Soldier


Joined: Oct 13, 2003
Posts: 22


PostPosted: Sun Oct 12, 2003 8:33 pm Reply with quoteBack to top

The code must be located how is in cvs.nukecops.com? Question
Find all posts by Johan1982View user's profileSend private message
echostorm
Nuke Soldier
Nuke Soldier


Joined: Oct 13, 2003
Posts: 33


PostPosted: Sun Oct 12, 2003 8:33 pm Reply with quoteBack to top

Noob admin here. What is RSS? I have implemented that code into the admin.php and it works fine for logging in, however how do I test it to make sure there are no conflicks? Thanks, echostorm
Find all posts by echostormView user's profileSend private message
tinjaw
Nuke Cadet
Nuke Cadet


Joined: Oct 12, 2003
Posts: 4


PostPosted: Sun Oct 12, 2003 8:38 pm Reply with quoteBack to top

echostorm: An RSS feed is what is used for one sight to post the headlines of another site.

Scroll to the bottom of this page and look at the orange XML button. That is an RSS feed you could use on your site.
Find all posts by tinjawView user's profileSend private message
BobMarion
Nuke Soldier
Nuke Soldier


Joined: Feb 20, 2003
Posts: 17


PostPosted: Sun Oct 12, 2003 9:34 pm Reply with quoteBack to top

Wouldn't it be better to use
Code:
$whatever = $_SERVER['REQUEST_URI'];

if (preg_match("/\?admin/", "$whatever")) {
echo "die";
exit;
}
instead of
Code:
$whatever = getenv("REQUEST_URI");

if (preg_match("/\?admin/", "$whatever")) {
echo "die";
exit;
}
to remain compliant with newer nuke versions?

_________________
Bob Marion
http://www.nukescripts.net
Codito Ergo Sum
Find all posts by BobMarionView user's profileSend private messageVisit poster's website
rudedog
Nuke Cadet
Nuke Cadet


Joined: Aug 10, 2003
Posts: 3


PostPosted: Mon Oct 13, 2003 1:42 am Reply with quoteBack to top

What version of Nuke does this patch? I have two sites one 6.0 with the phpbb port and a 6.8

will this fix the download/weblinks vulnerability?

Thanks for any help and all you do for the comunity NukeCops!

_________________
Not so Rude
-RudeDog
http://www.codadmin.com
http://www.MOHadmin.com/nuke
Find all posts by rudedogView user's profileSend private messageSend e-mailVisit poster's website
RikMerle
Nuke Soldier
Nuke Soldier


Joined: Mar 18, 2003
Posts: 16


PostPosted: Mon Oct 13, 2003 2:41 am Reply with quoteBack to top

When adding this to admin.php it give problems to new added downloads, when entering the url for the downloads it will be changed after saving the download URL into the DB to /admin.php

Or did I made a mistake here Question Embarassed

_________________
My PHP-Nuke Playground:
http://www.rikmerle.com
---
Find all posts by RikMerleView user's profileSend private messageVisit poster's website
RikMerle
Nuke Soldier
Nuke Soldier


Joined: Mar 18, 2003
Posts: 16


PostPosted: Mon Oct 13, 2003 2:51 am Reply with quoteBack to top

RikMerle wrote:
When adding this first option to the admin.php it give
problems to new added downloads, when entering the url for the
downloads it will be changed after saving the download URL into
the DB to /admin.php

Or did I made a mistake here Question Embarassed


When adding the solution from BobMarion it worked, so what is difference
in the 2 solutions Question

_________________
My PHP-Nuke Playground:
http://www.rikmerle.com
---
Find all posts by RikMerleView user's profileSend private messageVisit poster's website
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Mon Oct 13, 2003 5:34 am Reply with quoteBack to top

speedx wrote:
tinjaw thats only if you are using rss correct? use the code chatserv posted?
Yes use the code chatserv posted above. That's the patch I wrote but when I placed it on the front page, Nuke stripped out some of my code.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Mon Oct 13, 2003 5:37 am Reply with quoteBack to top

The difference between getenv and $_SERVER is that genenv is backward compatible whereas $_SERVER is a relatively new one. The latter wouldn't work in older PHP versions (although the new one is supposed to be more secure).

The code is now in cvs.nukecops.com, so you can download admin.php from our site.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
RikMerle
Nuke Soldier
Nuke Soldier


Joined: Mar 18, 2003
Posts: 16


PostPosted: Mon Oct 13, 2003 6:34 am Reply with quoteBack to top

Zhen-Xjell wrote:
The difference between getenv and $_SERVER is that genenv is backward compatible whereas $_SERVER is a relatively new one. The latter wouldn't work in older PHP versions (although the new one is supposed to be more secure).

The code is now in cvs.nukecops.com, so you can download admin.php from our site.


Thx Paul, I edit admin.php myself with the solution given by BobMarion
and everything works great as we have the lastest PHP version in use.

Big thanks to those who participate to this Update Exclamation

_________________
My PHP-Nuke Playground:
http://www.rikmerle.com
---
Find all posts by RikMerleView user's profileSend private messageVisit poster's website
sambeckett
Corporal
Corporal


Joined: Jun 25, 2003
Posts: 63


PostPosted: Mon Oct 13, 2003 6:44 am Reply with quoteBack to top

almost done with getting the updated admin.php file zipped up and linked from your front page?
Find all posts by sambeckettView user's profileSend private message
moogles
Sergeant
Sergeant


Joined: Mar 26, 2003
Posts: 93

Location: FFXI -Hades

PostPosted: Mon Oct 13, 2003 6:51 am Reply with quoteBack to top

Curious I noticed all 3 had

Quote:
if (preg_match("/\?admin/", "$whatever")) {
echo "die";
exit;
}

question is...
which for the first line do I use?
$whatever
$url
$checkmyurl
or what DO I actually put their?
Find all posts by mooglesView user's profileSend private message
chatserv
General
General


Joined: Jan 12, 2003
Posts: 3128

Location: Puerto Rico

PostPosted: Mon Oct 13, 2003 6:58 am Reply with quoteBack to top

$checkmyurl else use a made up variable but $checkmyurl should be ok as it was already tested, as for Bob's post i agree so if you have php 4.1.0 or better use:
$_SERVER['REQUEST_URI']
else keep the code as posted above.

_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
Find all posts by chatservView user's profileSend private messageVisit poster's website
MrFluffy
Captain
Captain


Joined: Aug 06, 2003
Posts: 411

Location: Berlin

PostPosted: Mon Oct 13, 2003 7:50 am Reply with quoteBack to top

I'm really not sure about the relation, but i can no longer use the links from my admin block, all lead to

Quote:
You can't access this file directly...


Last major action was updating my admin.php from CVS. But as i said, i'm really not sure that's linked... But i noticed it concerns all links located in the two admin related blocks.
I also did install googletap last night, and i'm totally unsure about the .htaccess stuff... (i had used an applet of my ISP to restrict access to some subfolders of my webspace once and afterwards there where .htaccess files everywhere i looked Smile ). I now replaced the one in the nuke-root, so this could be another source...

Question

_________________
cu, MrFluffy

conrads-berlin.de
nuke-platinum.de
Find all posts by MrFluffyView user's profileSend private messageVisit poster's websiteAIM AddressYahoo MessengerMSN MessengerICQ Number
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.055 Seconds - 480 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::