You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 462 guest(s) and 12 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - admin.php security hole [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Mon Oct 13, 2003 12:28 pm Reply with quoteBack to top

Yah that same patch applied here and other nuke sites works fine, even with the "$url" variable. No problems have been witnessed.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
morgan
Nuke Soldier
Nuke Soldier


Joined: Sep 09, 2003
Posts: 20


PostPosted: Mon Oct 13, 2003 1:25 pm Reply with quoteBack to top

Is this patch applicable for 6.5? What version of admin.php in cvs corresponds to the admin.php file in the nukecops 6.5 bundle?

If it is applicable, how would it be applied?

Thanks,

Morgan
Find all posts by morganView user's profileSend private message
Dan1
Private
Private


Joined: Sep 29, 2003
Posts: 41

Location: London, United Kingdom.

PostPosted: Mon Oct 13, 2003 2:52 pm Reply with quoteBack to top

speedx wrote:
So does it go like this?

<?php


$url = getenv("REQUEST_URI");

if (preg_match("/\?admin/", "$url")) {
echo "die";
exit;
}
require_once("mainfile.php");
get_lang(admin);


Shouldn't it be $checkmyurl ?

_________________
Kind Regards,

Dan.
Find all posts by Dan1View user's profileSend private message
mmiller
Nuke Cadet
Nuke Cadet


Joined: Oct 13, 2003
Posts: 2


PostPosted: Mon Oct 13, 2003 3:33 pm Reply with quoteBack to top

It's nice that you guys are so fast in posting a security fix but it would be even better if you told us what version of PHP-NUKE it should be applied to Smile
Find all posts by mmillerView user's profileSend private message
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Mon Oct 13, 2003 3:48 pm Reply with quoteBack to top

All versions.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
sambeckett
Corporal
Corporal


Joined: Jun 25, 2003
Posts: 63


PostPosted: Mon Oct 13, 2003 6:59 pm Reply with quoteBack to top

may we please have a direct link to admin.php that includes the fix.
Find all posts by sambeckettView user's profileSend private message
Archangel
Corporal
Corporal


Joined: Mar 19, 2003
Posts: 57

Location: Indiana

PostPosted: Mon Oct 13, 2003 9:02 pm Reply with quoteBack to top

This does not work on Nuke 7.0 Alpha 1 or 2. If you add a download, the link shows up as

/admin.php

Question Question Question
Find all posts by ArchangelView user's profileSend private messageVisit poster's website
thewizard
Sergeant
Sergeant


Joined: Sep 01, 2003
Posts: 134

Location: Germany

PostPosted: Mon Oct 13, 2003 9:09 pm Reply with quoteBack to top

same prob here with nuke 6.9 . when i add a download, always get /admin.php as download path

_________________

Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.
Find all posts by thewizardView user's profileSend private messageVisit poster's website
RikMerle
Nuke Soldier
Nuke Soldier


Joined: Mar 18, 2003
Posts: 16


PostPosted: Tue Oct 14, 2003 4:16 am Reply with quoteBack to top

Archangel wrote:
This does not work on Nuke 7.0 Alpha 1 or 2. If you add a download, the link shows up as

/admin.php

Question Question Question


Use the code given by BobMarion, that one works 100% with Nuke 6.9 Exclamation

Code:
$whatever = $_SERVER['REQUEST_URI'];

if (preg_match("/\?admin/", "$whatever")) {
echo "die";
exit;
}

_________________
My PHP-Nuke Playground:
http://www.rikmerle.com
---
Find all posts by RikMerleView user's profileSend private messageVisit poster's website
RikMerle
Nuke Soldier
Nuke Soldier


Joined: Mar 18, 2003
Posts: 16


PostPosted: Tue Oct 14, 2003 4:19 am Reply with quoteBack to top

thewizard wrote:
same prob here with nuke 6.9 . when i add a download, always get /admin.php as download path


Use the code given by BobMarion:

Code:
$whatever = $_SERVER['REQUEST_URI'];

if (preg_match("/\?admin/", "$whatever")) {
echo "die";
exit;
}


I had the same problem with 6.9 and above fixed it for me Exclamation

_________________
My PHP-Nuke Playground:
http://www.rikmerle.com
---
Find all posts by RikMerleView user's profileSend private messageVisit poster's website
Jeruvy
Lieutenant
Lieutenant


Joined: Jul 09, 2003
Posts: 293


PostPosted: Tue Oct 14, 2003 4:25 am Reply with quoteBack to top

RikMerle wrote:
thewizard wrote:
same prob here with nuke 6.9 . when i add a download, always get /admin.php as download path


Use the code given by BobMarion:

Code:
$whatever = $_SERVER['REQUEST_URI'];

if (preg_match("/\?admin/", "$whatever")) {
echo "die";
exit;
}


I had the same problem with 6.9 and above fixed it for me Exclamation
I think we need to clarify the patch and post proper versions for each (or merge the code into one)

Thoughts?

J.

_________________
J.
j e r u v y a t y a h o o d o t c o m
Find all posts by JeruvyView user's profileSend private messageICQ Number
thewizard
Sergeant
Sergeant


Joined: Sep 01, 2003
Posts: 134

Location: Germany

PostPosted: Tue Oct 14, 2003 4:28 am Reply with quoteBack to top

RikMerle wrote:
thewizard wrote:
same prob here with nuke 6.9 . when i add a download, always get /admin.php as download path


Use the code given by BobMarion:

Code:
$whatever = $_SERVER['REQUEST_URI'];

if (preg_match("/\?admin/", "$whatever")) {
echo "die";
exit;
}


I had the same problem with 6.9 and above fixed it for me Exclamation


yep i used that, but the error stays the same

_________________

Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.
Find all posts by thewizardView user's profileSend private messageVisit poster's website
chatserv
General
General


Joined: Jan 12, 2003
Posts: 3128

Location: Puerto Rico

PostPosted: Tue Oct 14, 2003 4:34 am Reply with quoteBack to top

For servers with php 4.1.0 or newer use:
Code:
$checkmyurl = $_SERVER['REQUEST_URI'];

if (preg_match("/\?admin/", "$checkmyurl")) {
echo "die";
exit;
}


For older versions of php or if you don't know which version of php your server has (no real excuse for not knowing, either email your host or create a phpinfo file to find out) then use:
Code:
$checkmyurl = getenv("REQUEST_URI");

if (preg_match("/\?admin/", "$checkmyurl")) {
echo "die";
exit;
}

Until this is further tested use as posted (with the $checkmyurl variable instead of $url) $url is used by some other files and could cause conflicts like the one with downloads getting an admin.php url.

_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
Find all posts by chatservView user's profileSend private messageVisit poster's website
saiko
Nuke Cadet
Nuke Cadet


Joined: Oct 14, 2003
Posts: 1


PostPosted: Tue Oct 14, 2003 2:50 pm Reply with quoteBack to top

tinjaw wrote:
speedx: If you attempt to add a block and that block is a custom block based on a RSS feed, the code that checks the URL also uses the $URL variable. This causes a conflict. Therefore the security fix needs to use a variable named something other than $URL to be backward compatible.


i got the same problem to be honest, i hope you guys can fix it soon Wink
Find all posts by saikoView user's profileSend private message
judas
Corporal
Corporal


Joined: Apr 24, 2003
Posts: 66

Location: dev/hda1

PostPosted: Tue Oct 14, 2003 3:30 pm Reply with quoteBack to top

chatserv..i think something like this will help better..

Code:
$checkmyurl = getenv("REQUEST_URI");
 if (empty($checkmyurl)) {
    $checkmyurl = $_SERVER['REQUEST_URI'];
}

if (preg_match("/\?admin/", "$checkmyurl")) {
echo "die";
exit;
}
Find all posts by judasView user's profileSend private message
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.064 Seconds - 559 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::