You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 313 guest(s) and 50 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - admin.php security hole [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
Raven
General
General


Joined: Mar 22, 2003
Posts: 5233

Location: USA

PostPosted: Tue Oct 14, 2003 3:45 pm Reply with quoteBack to top

If this is the exploit that is being discussed here, I don't think the fix will work anyway. Reason being there is no string ?admin to match to http://www.securityfocus.com/bid/8798/exploit .

_________________
Those who hear not the music think the dancers mad.
Raven Web Hosting|My Scripts & Stuff
Find all posts by RavenView user's profileSend private messageVisit poster's website
chatserv
General
General


Joined: Jan 12, 2003
Posts: 3128

Location: Puerto Rico

PostPosted: Tue Oct 14, 2003 4:39 pm Reply with quoteBack to top

Not the same thing, the above deals with a line similar to:
admin.php?admin=some_md5_hashed_code&sid=blablabla

for the one you mention i'd think modifying auth.php might handle it since it gets included on login, considering the nick &pass length limit i'd do something like:
in auth.php find:
Code:
if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {

Just above it add:
Code:
    $aid = substr("$aid", 0,25);
    $pwd = substr("$pwd", 0,18);


One other thing that might stop that one could be adding instead of those two lines:
Code:
if (ereg("[^a-zA-Z0-9_-]",trim($aid))) {
die("Begone");
}


actually i'd add both, why not?
Code:
    if (ereg("[^a-zA-Z0-9_-]",trim($aid))) {
    die("Begone");
    }
    $aid = substr("$aid", 0,25);
    $pwd = substr("$pwd", 0,18);

_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources

Last edited by chatserv on Tue Oct 14, 2003 4:50 pm; edited 1 time in total
Find all posts by chatservView user's profileSend private messageVisit poster's website
Raven
General
General


Joined: Mar 22, 2003
Posts: 5233

Location: USA

PostPosted: Tue Oct 14, 2003 4:44 pm Reply with quoteBack to top

Thanks CS!

_________________
Those who hear not the music think the dancers mad.
Raven Web Hosting|My Scripts & Stuff
Find all posts by RavenView user's profileSend private messageVisit poster's website
chatserv
General
General


Joined: Jan 12, 2003
Posts: 3128

Location: Puerto Rico

PostPosted: Tue Oct 14, 2003 4:52 pm Reply with quoteBack to top

Hey no worries, try the last one i posted with both codes, i like that one because the code gets cut and you also get a nice lil message Smile

_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
Find all posts by chatservView user's profileSend private messageVisit poster's website
Raven
General
General


Joined: Mar 22, 2003
Posts: 5233

Location: USA

PostPosted: Tue Oct 14, 2003 4:56 pm Reply with quoteBack to top

Are those lengths arbitrary or is there significance in them?

_________________
Those who hear not the music think the dancers mad.
Raven Web Hosting|My Scripts & Stuff
Find all posts by RavenView user's profileSend private messageVisit poster's website
chatserv
General
General


Joined: Jan 12, 2003
Posts: 3128

Location: Puerto Rico

PostPosted: Tue Oct 14, 2003 5:02 pm Reply with quoteBack to top

I used the max length set in admin.php for both values, i'd make aid shorter though but to be honest the code used exceeds the 25 limit:
Code:
   ."<td><input type=\"text\" NAME=\"aid\" SIZE=\"20\" MAXLENGTH=\"25\"></td></tr>"
   ."<tr><td>"._PASSWORD."</td>"
   ."<td><input type=\"password\" NAME=\"pwd\" SIZE=\"20\" MAXLENGTH=\"18\"></td></tr>";


A 10 char limit on aid would be a bit safer.

_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
Find all posts by chatservView user's profileSend private messageVisit poster's website
Raven
General
General


Joined: Mar 22, 2003
Posts: 5233

Location: USA

PostPosted: Tue Oct 14, 2003 5:04 pm Reply with quoteBack to top

Will all these security fixes make it into version 7?

_________________
Those who hear not the music think the dancers mad.
Raven Web Hosting|My Scripts & Stuff
Find all posts by RavenView user's profileSend private messageVisit poster's website
chatserv
General
General


Joined: Jan 12, 2003
Posts: 3128

Location: Puerto Rico

PostPosted: Tue Oct 14, 2003 5:13 pm Reply with quoteBack to top

Hopefully yes, they need to be added A.S.A.P

_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
Find all posts by chatservView user's profileSend private messageVisit poster's website
KrAzYwHiTeBoY
Private
Private


Joined: May 26, 2003
Posts: 47


PostPosted: Tue Oct 14, 2003 5:47 pm Reply with quoteBack to top

speedx wrote:
So does it go like this?

<?php


$url = getenv("REQUEST_URI");

if (preg_match("/\?admin/", "$url")) {
echo "die";
exit;
}
require_once("mainfile.php");
get_lang(admin);


OK i inserted this code and now my Enhanced Downloads will not work.
like i add a new download and when i click on submissions for downloads when i click on add to add new download it throws error sayin invalid url listed for URL ?? Basically same problem that other guy was having with the RSS giving url error.

I restore original admin.php and problem is gone.So it IS this code causing it.Any ideas howto fix it? I mena i want admin.php to be secure but there is no point if i can't add new downloads Rolling Eyes
Find all posts by KrAzYwHiTeBoYView user's profileSend private message
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Tue Oct 14, 2003 5:54 pm Reply with quoteBack to top

Hi'ya please read the other posts, there are other solutions within them for this problem.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
Jeruvy
Lieutenant
Lieutenant


Joined: Jul 09, 2003
Posts: 293


PostPosted: Wed Oct 15, 2003 5:01 am Reply with quoteBack to top

Raven wrote:
If this is the exploit that is being discussed here, I don't think the fix will work anyway. Reason being there is no string ?admin to match to http://www.securityfocus.com/bid/8798/exploit .


Did anyone read the solution?

Quote:
It has been reported that this issue can be prevented by placing "magic_quotes_gpc" in the php.ini configuration file.


Just thought I'd add this.

Besides I agree with chatserv, this didn't help this problem.
Not to say this solution isn't a good one Very Happy
Find all posts by JeruvyView user's profileSend private messageICQ Number
PrimalFear
Sergeant
Sergeant


Joined: Mar 13, 2003
Posts: 129


PostPosted: Wed Oct 15, 2003 10:42 am Reply with quoteBack to top

Just a thought, some peeps can get confuzed with all the different types of fixes here, which one for what version etc, might be a good idea to edit the opening post with the updated fixes, which ones work for what particular situation & have the header read, "This Post will be updated with each new fix that is discovered & decussed in this thread."

Just a Thought
Find all posts by PrimalFearView user's profileSend private message
HimmelHund
Nuke Soldier
Nuke Soldier


Joined: Sep 15, 2003
Posts: 30


PostPosted: Thu Oct 16, 2003 6:36 am Reply with quoteBack to top

The first thing now in my admin.php is

Code:
$checkmyurl = $_SERVER['REQUEST_URI'];

if (preg_match("/\?admin/", "$checkmyurl")) {
echo "die";
exit;
}


All seems to work fine.. How can i check if things are ok now?
Find all posts by HimmelHundView user's profileSend private message
judas
Corporal
Corporal


Joined: Apr 24, 2003
Posts: 66

Location: dev/hda1

PostPosted: Thu Oct 16, 2003 7:06 am Reply with quoteBack to top

this should work with old and new php versions


Code:
$checkmyurl = $_SERVER['REQUEST_URI'];
 if (empty($checkmyurl)) {
    $checkmyurl = getenv("REQUEST_URI");
}

if (preg_match("/\?admin/", "$checkmyurl")) {
echo "die";
exit;
}
Find all posts by judasView user's profileSend private message
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Thu Oct 16, 2003 8:18 am Reply with quoteBack to top

Actually to be more accurate, one should check for the PHP version first. Then depending on the value, use the appropriate variable. You can check my analyze.php for such checks.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.086 Seconds - 494 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::