You are missing our premiere tool bar navigation system! Register and use it for FREE!


Author: VinDSLLocation: Arizona (USA) Site Admin: Lenon.com Admin: Disipal DesignsPostPosted: Fri Jun 04, 2004 4:35 pm    Post subject: Re: This new security hole...

This is NOT a Nuke security vulnerability IMHO. It's a server administration issue...

In order to use this attack, hackers would need admin privileges on the server in question, in order to create a symlink pointing to someone elses' sql db, no? Not only that, but they would need an account on (or access to another client's account on) the same server as you, in order to mount the attack in the first place.

There might be a web host out there stupid enough to give server admin privileges to clients on a shared server, and allow them to access data on other clients' db's, but I doubt it. If so, they wouldn't be in business long.

My fix would consist of changing web hosts... Wink

Author: Chinese_PowerPostPosted: Fri Jun 04, 2004 5:39 pm    Post subject:

Interesting... But have someone tested this yet ? It dont work for me

Author: VinDSLLocation: Arizona (USA) Site Admin: Lenon.com Admin: Disipal DesignsPostPosted: Fri Jun 04, 2004 5:55 pm    Post subject:

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 

Author: foxyfemfemLocation: USAPostPosted: Fri Jun 04, 2004 3:05 pm    Post subject:

Um, very interesting and I notice the date on that post is May (almost 2 months of age). Okay, can we get a "security" coder to verify if there's a fix for that, has the fix been produced and where the heck can I get the fix? Laughing

Author: alexmPostPosted: Fri Jun 04, 2004 3:45 pm    Post subject: Re: This new security hole...

Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 331 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - This new security hole... This new security hole...

Nuke Cops -> Nuke Security

Author: MechaDragon PostPosted: Fri Jun 04, 2004 1:27 pm    Post subject: This new security hole...

Does protector or anything work with it?

http://www.securityfocus.com/archive/1/364725/2004-05-30/2004-06-05/0

Is the fix listed the best one to use?
MechaDragon wrote:

Is the fix listed the best one to use?


I'm not an expert on this subject, but the best fix is to make sure that safe_mode is "On" in your PHP. This will disable other users' ability to include() your files.

It's my opinion that if you are on a shared host with safe_mode Off, you have bigger problems than this little script.

I could be wrong. And there's no harm in adding the proposed "fix." Smile
Chinese_Power wrote:
Interesting... But have someone tested this yet ? It dont work for me

Are you talking about the quick 'n' dirty patch they suggested, or switching hosts? Laughing

Author: judasLocation: dev/hda1 PostPosted: Fri Jun 04, 2004 6:34 pm    Post subject: Re: This new security hole...

Imm..This is NOT A BUG ON NUKE.
but if you like the "propossed patch."..I think this will be better
Code:
$domain = $_SERVER['SERVER_NAME'];
$ipserv = gethostbyname($domain);
if ($ipserv != "your_server_ip_address_here") {
echo "Access denied";
die();
}

note:Im trying to reproduce this "bugs" and on my server I get 403 errors and other stuff..no real "proof of concept" results.

Author: MechaDragon PostPosted: Fri Jun 04, 2004 7:00 pm    Post subject:

foxyfemfem wrote:
Um, very interesting and I notice the date on that post is May (almost 2 months of age). Okay, can we get a "security" coder to verify if there's a fix for that, has the fix been produced and where the heck can I get the fix? Laughing


Two months? May 30 was less then a week ago... am I missing something or not understanding right...

Author: MechaDragon PostPosted: Fri Jun 04, 2004 7:03 pm    Post subject: Re: This new security hole...

VinDSL wrote:
This is NOT a Nuke security vulnerability IMHO. It's a server administration issue...


Thanks, Didn't quite understand the whole process so I didn't know it had to be on the same server but thanks for the explination!!

Author: clam729 PostPosted: Fri Jun 04, 2004 11:15 pm    Post subject: Re: This new security hole...

search for one of my earlier posts about script hijacking, the same goes for this. everyone should add code to their sites to ensure that the scripts are being run from their server.

there are many ways to do this simple check, as i said, one of my earlier posts has some example code in it.

Author: DunderklumpenLocation: Sweden PostPosted: Sat Jun 05, 2004 12:14 am    Post subject: Re: This new security hole...

judas wrote:
Imm..This is NOT A BUG ON NUKE.
but if you like the "propossed patch."..I think this will be better
Code:
$domain = $_SERVER['SERVER_NAME'];
$ipserv = gethostbyname($domain);
if ($ipserv != "your_server_ip_address_here") {
echo "Access denied";
die();
}

note:Im trying to reproduce this "bugs" and on my server I get 403 errors and other stuff..no real "proof of concept" results.


Thanks for the suggested patch - now where should I put this in config.php?

Author: kingpin03 PostPosted: Sat Jun 05, 2004 2:00 am    Post subject:

Dunderklumpen wrote:
judas wrote:
Imm..This is NOT A BUG ON NUKE.
but if you like the "propossed patch."..I think this will be better
Code:
$domain = $_SERVER['SERVER_NAME'];
$ipserv = gethostbyname($domain);
if ($ipserv != "your_server_ip_address_here") {
echo "Access denied";
die();
}

note:Im trying to reproduce this "bugs" and on my server I get 403 errors and other stuff..no real "proof of concept" results.


Thanks for the suggested patch - now where should I put this in config.php?
Try header.php instead. Wink

Author: DunderklumpenLocation: Sweden PostPosted: Sat Jun 05, 2004 2:48 am    Post subject: Re: This new security hole...

Ok, thanks - will do.

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 2:54 am    Post subject:

@MechaDragon
Laughing You are correct. I was thinking this month was july not june (way ahead of myself).

I tried that exploit on my website and all I received was the 403 error page, therefore I'm with VinDSL on this one, if the exploit succeed via another, I'm changing my webhost.

@judas
Thanks for the patch, it's always better to be safe than sorry. I'm adding the patch to mainfile.php

This part $_SERVER['SERVER_NAME']; should SERVER_NAME be as is or am I suppose to add the name of the server I'm on?

Author: VinDSLLocation: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs PostPosted: Sat Jun 05, 2004 4:45 am    Post subject: Re: This new security hole...

clam729 wrote:
...everyone should add code to their sites to ensure that the scripts are being run from their server...

Keep in mind that this attack IS run from your server, via a symlink in another client's account, or so the theory goes.

I don't think there is ANY patch that would work for such a situation, given the type of authentication Nuke uses. Once again, this is a server administration issue. Wink

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 5:15 am    Post subject:

VinDSL wrote:
Once again, this is a server administration issue.
I'm on a shared server, my hosting company offer phpnuke via cpanel (meaning alot of their clients utilize phpnuke) and of course I added a link at their forums to nukecops.com for users to come here if they need assistance with phpnuke, should I ask them if this exploit is a threat to us (those on shared server)?

Author: Tank863Location: Philadelphia PostPosted: Sat Jun 05, 2004 7:10 am    Post subject: Re: This new security hole...

Try this as a proof of concept.

http://www.example.com/modules/News/categories.php/modules.php

change example to your domain..

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 7:26 am    Post subject:

@Tank863
I tried that concept at my website with and without judas' fix suggestion . This is what I received
Code:
Warning: main(mainfile.php): failed to open stream: No such file or directory in /home/xxx/public_html/modules/News/categories.php on line 23

Fatal error: main(): Failed opening required 'mainfile.php' (include_path='.:/COMPLETE PATH') in /home/xxx/public_html/modules/News/categories.php on line 23
Um, should I panic now? <standing next to panic button> Confused

Author: Tank863Location: Philadelphia PostPosted: Sat Jun 05, 2004 7:35 am    Post subject:

That is exactly what I received...

I'm not a coding expert... but I am working on trying what waraxe suggested...

http://www.waraxe.us/forum/viewtopic.php?t=96

hopefully someone can come up with a good fix...

Author: Tank863Location: Philadelphia PostPosted: Sat Jun 05, 2004 8:19 am    Post subject:

Foxy..

this is what phpBB does..

in their stand alone phpbb

in the common.php they have

Code:

if ( !defined('IN_PHPBB') )
{
   die("Hacking attempt");
}


in the index.php and all other *.php files they have
Code:

define('IN_PHPBB', true);



So what I am suggesting... from waraxe's suggestion...

is something like this in the mainfile.php

Code:


if ( !defined('IN_NUKE') )
{
   die("Hacking attempt");
}


In all other files... ??

Code:

define('IN_NUKE', true);


I am going to test this out and post results...

Tank863

Author: VinDSLLocation: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs PostPosted: Sat Jun 05, 2004 8:29 am    Post subject: Re: This new security hole...

Tank863 wrote:
Try this as a proof of concept.

http://www.example.com/modules/News/categories.php/modules.php

change example to your domain..

Alrighty then... this 'new, new security hole' is quite a different matter!

http://www.waraxe.us/forum/viewtopic.php?t=96

Your proof of concept example reveals full path info which makes it much easier to hack a site then having to work in the blind. This is NOT a good thing! It makes the perps job a lot easier.

Time to put the 'thinking caps' on... Wink

Author: Tank863Location: Philadelphia PostPosted: Sat Jun 05, 2004 9:19 am    Post subject:

Not working... as I hoped Sad

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 9:35 am    Post subject:

Okay, it's time for me to sound the alarm <panic attack> Shocked .. Now where are all those security coders? Is there a security script available that will stop this? How about a temp .htaccess file to deny access until a fix is produced? Or a small sniplet in mainfile.php?

Last edited by foxyfemfem on Sat Jun 05, 2004 9:38 am; edited 1 time in total

Author: Tank863Location: Philadelphia PostPosted: Sat Jun 05, 2004 9:37 am    Post subject:

Maybe... I didn't look at the phpbb files long enough.. they may include other lines that I need to add in for protection..

like a file called extension.inc and have a particluar file call on this extension.inc... hmm

again.. I am not a hard core coder.. I am learning as I go along...

Author: Tank863Location: Philadelphia PostPosted: Sat Jun 05, 2004 9:42 am    Post subject:

I wouldn't sound the alarm quite yet..

http://ravenphpscripts.com/postp12835.html#12835

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 9:47 am    Post subject:

How about someone produce a script like this...

nukeauth.php - This script is placed at the top of every page you want to protect. It checks the user's ID and session details against the database and if the details don't match a current valid session, the browser is redirected to access denied page or something similar.

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 9:56 am    Post subject:

yipee woohoo, I can step away from the panic button. <blow Raven a kiss from across the river> .. Thanks sweetie, now I will patiently sit back and wait on you to turn that blank screen into a "get the devil land off my website" message Mr. Green

Author: Tank863Location: Philadelphia PostPosted: Sat Jun 05, 2004 10:02 am    Post subject:

Also.. from madman and waraxe

http://www.waraxe.us/forum/viewtopic.php?t=100

Author: Raptor1Location: Conway SC PostPosted: Sat Jun 05, 2004 10:12 am    Post subject: Re: This new security hole...

I'm not on a shared server so thr's no need for me to worry?

Author: telli PostPosted: Sat Jun 05, 2004 10:35 am    Post subject: Re: This new security hole...

Here is a fix for it. Thank Tank and waraxe for the idea.

Open your mainfile.php right after the <?php place this:

Code:

//In Nuke Check by Telli http://codezwiz.com/
//Idea taken from Tank863 & Waraxe
define ('IN_NUKE',1);


Open your files that are in need of the patch I believe the security focus has the list and find this code:

Code:
if (!eregi("modules.php", $_SERVER['PHP_SELF'])) {
    die ("You can't access this file directly...");
}


Under that place this:

Code:

//In Nuke Check by Telli http://codezwiz.com/
//Idea taken from Tank863 & Waraxe
if ( !defined('IN_NUKE') )
{
        die("Hacking attempt");
}


You will also to need to make sure that there is a include of the mainfile.php many add-ons do not have it so it may have to be added. In that case just add this code:

Code:
require_once("mainfile.php");


Right after the new code you added so it will look like this:

Code:
//In Nuke Check by Telli http://codezwiz.com/
//Idea taken from Tank863 & Waraxe
if ( !defined('IN_NUKE') )
{
        die("Hacking attempt");
}
require_once("mainfile.php");


And it will block them.

http://www.codezwiz.com/modules/News/categories.php/modules.php


Last edited by telli on Sat Jun 05, 2004 11:02 am; edited 1 time in total

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 11:00 am    Post subject:

Thanks Telli. <looking at the list of files that need to be patch> wow! that's approximately every file.

Author: telli PostPosted: Sat Jun 05, 2004 11:06 am    Post subject:

Its just one proposed fix that works solid. Maybe there are others that won't require you to get into changing so much of the code. Or maybe they will actually include something like this in the next fix distro or Nuke distro.

Author: Tank863Location: Philadelphia PostPosted: Sat Jun 05, 2004 11:26 am    Post subject:

@Telli...

What you made up seems to be inline with what waraxe suggested....

seems that I had it arse backwards Wink

again.. I'm not a die hard coder.. (yet) but I was advised that:

All blocks and/or modules and/or add-ons do not call mainfile.php, nor do they necessarily have to.

I will apply this and test it out.... but your 'patch' does work as your link showed...

Tank863

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 11:30 am    Post subject:

telli wrote:
Or maybe they will actually include something like this in the next fix distro or Nuke distro.
That's a joke right? If not, I'm LMAO reading that one. Have you notice the last version (7.3) changelog? All fixes were those of chatserv and others, um do you think 7.4 will be any different? Laughing I'll wait on a fix from here (nukecop) or there (raven's site) before I cash in my money on 7.4 (no pun intended FB) I'm just calling it like I see it Mr. Green

Author: telli PostPosted: Sat Jun 05, 2004 11:36 am    Post subject: Re: This new security hole...

All blocks and/or modules and/or add-ons do not call mainfile.php, nor do they necessarily have to.

I updated the fix on the previous page to show what to do in that case.

Very true Foxy, very unfortunate but very true.

Author: Tank863Location: Philadelphia PostPosted: Sat Jun 05, 2004 12:16 pm    Post subject:

Here is a list of the files...

Code:

Affected Files:
--------------
Although an effort was made to identify all affected files (~160 total of
which ~28 have no security check), we leave it up to the developers/users
to do their own verification to ensure no files were inadvertently missed.

Note 1 --> /admin/case/case.adminfaq.php
Note 1 --> /admin/case/case.authors.php
Note 1 --> /admin/case/case.backup.php
Note 1 --> /admin/case/case.banners.php
Note 1 --> /admin/case/case.blocks.php
Note 1 --> /admin/case/case.comments.php
Note 1 --> /admin/case/case.content.php
Note 1 --> /admin/case/case.download.php
Note 1 --> /admin/case/case.encyclopedia.php
Note 1 --> /admin/case/case.ephemerids.php
Note 1 --> /admin/case/case.forums.php
Note 1 --> /admin/case/case.groups.php
Note 1 --> /admin/case/case.links.php
Note 1 --> /admin/case/case.messages.php
Note 1 --> /admin/case/case.modules.php
Note 1 --> /admin/case/case.newsletter.php
Note 1 --> /admin/case/case.optimize.php
Note 1 --> /admin/case/case.polls.php
Note 1 --> /admin/case/case.referers.php
Note 1 --> /admin/case/case.reviews.php
Note 1 --> /admin/case/case.sections.php
Note 1 --> /admin/case/case.settings.php
Note 1 --> /admin/case/case.stories.php
Note 1 --> /admin/case/case.topics.php
Note 1 --> /admin/case/case.tracking.php
Note 1 --> /admin/case/case.users.php
Note 2 --> /admin/links/links.addstory.php
Note 2 --> /admin/links/links.backup.php
Note 2 --> /admin/links/links.banners.php
Note 2 --> /admin/links/links.blocks.php
Note 2 --> /admin/links/links.content.php
Note 2 --> /admin/links/links.download.php
Note 2 --> /admin/links/links.editadmins.php
Note 2 --> /admin/links/links.editusers.php
Note 2 --> /admin/links/links.encyclopedia.php
Note 2 --> /admin/links/links.ephemerids.php
Note 2 --> /admin/links/links.faq.php
Note 2 --> /admin/links/links.forums.php
Note 2 --> /admin/links/links.groups.php
Note 2 --> /admin/links/links.httpreferers.php
Note 2 --> /admin/links/links.messages.php
Note 2 --> /admin/links/links.modules.php
Note 2 --> /admin/links/links.newsletter.php
Note 2 --> /admin/links/links.optimize.php
Note 2 --> /admin/links/links.reviews.php
Note 2 --> /admin/links/links.sections.php
Note 2 --> /admin/links/links.settings.php
Note 2 --> /admin/links/links.submissions.php
Note 2 --> /admin/links/links.surveys.php
Note 2 --> /admin/links/links.topics.php
Note 2 --> /admin/links/links.tracking.php
Note 2 --> /admin/links/links.weblinks.php
Note 3 --> /admin/modules/adminfaq.php
Note 3 --> /admin/modules/authors.php
Note 3 --> /admin/modules/backup.php
Note 3 --> /admin/modules/banners.php
Note 3 --> /admin/modules/blocks.php
Note 3 --> /admin/modules/comments.php
Note 3 --> /admin/modules/content.php
Note 3 --> /admin/modules/download.php
Note 3 --> /admin/modules/encyclopedia.php
Note 3 --> /admin/modules/ephemerids.php
Note 3 --> /admin/modules/forums.php
Note 3 --> /admin/modules/groups.php
Note 3 --> /admin/modules/links.php
Note 3 --> /admin/modules/messages.php
Note 3 --> /admin/modules/modules.php
Note 3 --> /admin/modules/newsletter.php
Note 3 --> /admin/modules/optimize.php
Note 3 --> /admin/modules/polls.php
Note 3 --> /admin/modules/referers.php
Note 3 --> /admin/modules/reviews.php
Note 3 --> /admin/modules/sections.php
Note 3 --> /admin/modules/settings.php
Note 3 --> /admin/modules/stories.php
Note 3 --> /admin/modules/topics.php
Note 3 --> /admin/modules/tracking.php
Note 3 --> /admin/modules/users.php
Note 4 --> /db/db.php
Note 1 --> /modules/AvantGo/index.php
Note 1 --> /modules/AvantGo/print.php
Note 1 --> /modules/Bookmarks/del_cat.php
Note 1 --> /modules/Bookmarks/del_mark.php
Note 5 --> /modules/Bookmarks/edit_cat.php
Note 5 --> /modules/Bookmarks/edit_mark.php
Note 1 --> /modules/Bookmarks/index.php
Note 1 --> /modules/Bookmarks/marks.php
Note 5 --> /modules/Bookmarks/uploadbookmarks.php
Note 1 --> /modules/Content/index.php
Note 1 --> /modules/Downloads/index.php
Note 6 --> /modules/Downloads/voteinclude.php
Note 1 --> /modules/Encyclopedia/index.php
Note 1 --> /modules/Encyclopedia/search.php
Note 1 --> /modules/FAQ/index.php
Note 1 --> /modules/Feedback/index.php
Note 1 --> /modules/Forums/buddylist.php
Note 1 --> /modules/Forums/faq.php
Note 1 --> /modules/Forums/groupcp.php
Note 1 --> /modules/Forums/ignore.php
Note 1 --> /modules/Forums/index.php
Note 1 --> /modules/Forums/login.php
Note 1 --> /modules/Forums/modcp.php
Note 1 --> /modules/Forums/nukebb.php
Note 1 --> /modules/Forums/posting.php
Note 1 --> /modules/Forums/profile.php
Note 1 --> /modules/Forums/ranks.php
Note 1 --> /modules/Forums/search.php
Note 1 --> /modules/Forums/staff.php
Note 1 --> /modules/Forums/topics.php
Note 1 --> /modules/Forums/viewforum.php
Note 1 --> /modules/Forums/viewonline.php
Note 1 --> /modules/Forums/viewtopic.php
Note 1 --> /modules/Journal/add.php
Note 1 --> /modules/Journal/comment.php
Note 1 --> /modules/Journal/commentkill.php
Note 1 --> /modules/Journal/commentsave.php
Note 1 --> /modules/Journal/delete.php
Note 1 --> /modules/Journal/deleteyes.php
Note 1 --> /modules/Journal/display.php
Note 1 --> /modules/Journal/edit.php
Note 1 --> /modules/Journal/friend.php
Note 1 --> /modules/Journal/functions.php
Note 1 --> /modules/Journal/index.php
Note 1 --> /modules/Journal/modify.php
Note 1 --> /modules/Journal/savenew.php
Note 1 --> /modules/Journal/search.php
Note 1 --> /modules/Members_List/index.php
Note 1 --> /modules/News/allindex.php
Note 1 --> /modules/News/article.php
Note 1 --> /modules/News/associates.php
Note 1 --> /modules/News/categories.php
Note 1 --> /modules/News/comments.php
Note 1 --> /modules/News/friend.php
Note 1 --> /modules/News/index.php
Note 1 --> /modules/News/print.php
Note 3 --> /modules/Private_Messages/index.php
Note 1 --> /modules/Recommend_Us/index.php
Note 1 --> /modules/Resend_Email/index.php
Note 1 --> /modules/Reviews/index.php
Note 1 --> /modules/Search/index.php
Note 1 --> /modules/Sections/index.php
Note 1 --> /modules/Statistics/index.php
Note 1 --> /modules/Stories_Archive/index.php
Note 1 --> /modules/Submit_News/index.php
Note 1 --> /modules/Surveys/comments.php
Note 1 --> /modules/Surveys/index.php
Note 1 --> /modules/Top/index.php
Note 1 --> /modules/Topics/index.php
Note 1 --> /modules/Web_Links/index.php
Note 6 --> /modules/Web_Links/voteinclude.php
Note 1 --> /modules/Web_Links/class.rc4crypt.php
Note 1 --> /modules/Web_Links/compose.php
Note 1 --> /modules/Web_Links/inbox.php
Note 1 --> /modules/Web_Links/index.php
Note 1 --> /modules/Web_Links/mailheader.php
Note 1 --> /modules/Web_Links/nlmail.php
Note 1 --> /modules/Web_Links/readmail.php
Note 1 --> /modules/Web_Links/settings.php
Note 1 --> /modules/Your_Account/index.php
Note 2 --> /modules/Your_Account/navbar.php



@telli

Do I need to add the
Code:
require_once("mainfile.php");
to the /admin/case/*.php files?

Author: madman PostPosted: Sat Jun 05, 2004 12:43 pm    Post subject: Re: This new security hole...

If your server running with apache and allow you to use .htaccess (AllowOverride is ALL in .conf file), you can put this .htaccess in phpnuke root dir:

Code:
<FilesMatch "\.(asp|bin|c|cgi|class|conf|h|htaccess|ihtml?|inc|ini|pl|sql|tpl|txt)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

<FilesMatch "(auth|banners|config|footer|header|mainfile)\.php$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

<LimitExcept GET PUT POST>
  Order Allow,Deny
  Deny from all
</LimitExcept>


To protect nuke subdirs, read my post at http://www.nukecops.com/postp129926.html

Author: telli PostPosted: Sat Jun 05, 2004 12:58 pm    Post subject:

Yes Tank.

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 12:59 pm    Post subject:

@madman
Will this protect all files involved? I will take a look at your sub domain topic since I do utilize other php programs in my sub domains.

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 1:11 pm    Post subject:

Hello,

This code here .. <FilesMatch "(auth|banners|config|footer|header|mainfile)\.php$">

Do I need to include.... |theme|module|?

What's the difference in... ihtml & ihtml?

Author: madman PostPosted: Sat Jun 05, 2004 1:25 pm    Post subject:

foxyfemfem wrote:
@madman
Will this protect all files involved? I will take a look at your sub domain topic since I do utilize other php programs in my sub domains.


It's about phpnukenuke subdirs (sub directories), not subdomains. Smile
The .htaccess file above will protect these files in phpnuke root directory from direct execution:

auth.php
banners.php
config.php
footer.php
header.php
mainfile.php

For example, running this URL: http://foo.bar/mainfile.php will send forbidden server response. Because this topic also talking about running mainfile.php from the same server using remote file wrapper (allow_url_fopen in php.ini), the .htaccess file will also restrict such access because the request (e.g. from include(), require(), fopen() construct functions) is from http methods (GET,PUT,POST) and not from local file access system.

If you running more than one subdomains, you don't have to worry if those subdomains pointing to the same path, e.g.

sub1.foo.bar -> /vhosts/username/httpdocs/nuke/
sub2.foo.bar -> /vhosts/username/httpdocs/nuke/
sub3.foo.bar -> /vhosts/username/httpdocs/nuke/

If you running subdomains where path mapping are different:

sub1.foo.bar -> /vhosts/username/httpdocs/main/
sub2.foo.bar -> /vhosts/username/httpdocs/main/nuke/
sub3.foo.bar -> /vhosts/username/httpdocs/main/nuke/nuke2/

Then you'll have to put .htaccess file like these:

/vhosts/username/httpdocs/main/.htaccess
/vhosts/username/httpdocs/main/nuke/.htaccess
/vhosts/username/httpdocs/main/nuke/nuke2/.htaccess

Hope this help.

Author: madman PostPosted: Sat Jun 05, 2004 1:31 pm    Post subject:

foxyfemfem wrote:
Hello,
This code here .. <FilesMatch "(auth|banners|config|footer|header|mainfile)\.php$">
Do I need to include.... |theme|module|?


If you have files called theme.php and module.php in phpnuke root directory, you can add them to your statement above. But do not protect modules.php because it's required to be called directly.

foxyfemfem wrote:
What's the difference in... ihtml & ihtml?


ihtml only check any matching files with .ihtml extension while ihtml? will check both .ihtm and .ihtml extensions.

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 1:36 pm    Post subject:

Thanks Madman, now let me see if I understand exactly what you're saying.

phpnuke is in my root director www.example.com
whereas I have subdomain.example.com (other php programs)... Here's my understand and of course I did this as well... I added the .htaccess file to my root directory as well as all of my other sub domains. Therefore, am I able to sleep at night now, well at least tonight? Laughing

Author: Raptor1Location: Conway SC PostPosted: Sat Jun 05, 2004 1:40 pm    Post subject: Re: This new security hole...

Plz tell me that if I am not sharing a server that I don't need to do this. I just spent the last 2 1/2 weeks updating everything on my site, adding all the security patchs, modules, scripts. I know it's a ongoing and learning process, but a I affect by this too?

Author: madman PostPosted: Sat Jun 05, 2004 2:19 pm    Post subject:

foxyfemfem wrote:
phpnuke is in my root director www.example.com
whereas I have subdomain.example.com (other php programs)... Here's my understand and of course I did this as well... I added the .htaccess file to my root directory as well as all of my other sub domains. Therefore, am I able to sleep at night now, well at least tonight? Laughing


If your another subdomain isn't running with phpnuke, you can remove these lines from .htaccess file that was given above:

Code:
<FilesMatch "(auth|banners|config|footer|header|mainfile)\.php$">
  Order Allow,Deny
  Deny from all
</FilesMatch>


These line only essential to phpnuke, and may causing problems if you running different program/scripts which has the same filename.

Raptor1 wrote:
Plz tell me that if I am not sharing a server that I don't need to do this. I just spent the last 2 1/2 weeks updating everything on my site, adding all the security patchs, modules, scripts. I know it's a ongoing and learning process, but a I affect by this too?


You still can put .htaccess file above into your phpnuke root directory (directory which held mainfile.php file). This .htaccess file require AllowOverride All setting in apache *.conf file, and apache mod_access module must be enable (in most cases, this is already enabled by default). If don't, you can enabling this module from your Apache main .conf file.

To test whether your Apache configuration accepting .htaccess setting like this, try to direct execute to mainfile.php, e.g.:

http://foo.bar/mainfile.php

Successfull only and only if you get "forbidden" page.
However, it still advisable to use tips that was discussed before, by adding constant checking as replacement of eregi..$_SERVER['.PHP_SELF'] checking code.

Add this line at the beginning of most php-nuke script files (except index.php, admin.php, and modules.php files):

Code:
defined('IN_NUKE') or die('You cannot access this file directly');


Then add this single line at the beginning of index.php, admin.php and modules.php:

Code:
define('IN_NUKE', 1);


Well, this need lots of works and tests, thought.
Good luck, and keep your site secure. Smile

Author: Mindcrime PostPosted: Sat Jun 05, 2004 10:24 pm    Post subject: Re: This new security hole...

The define is a good idea, but why not just change PHP_SELF to SCRIPT_NAME as the server variable to be tested?
Am I missing something?

Author: Tank863Location: Philadelphia PostPosted: Sun Jun 06, 2004 6:22 am    Post subject:

@Mindcrime

Would that work the same? I don't know.. as I don't know a whole heck of a lot about PHP right now.

Can someone test it out to see of it does the same?

This fix works that was collaborated on yesterday works..

Author: sengsaraLocation: Batam, Indonesia (an hour boat ride from Singapore) ;) PostPosted: Sun Jun 06, 2004 9:17 pm    Post subject:

I've seen something similar inside CPG-Nuke about 5 weeks ago.
Code:
if (!defined('CPG_NUKE')) {
    die ("You can't access this file directly...");
}


Inside admin scripts
Code:
if (!defined('ADMIN_PAGES')) { header('Location: ../../'); exit; }


Is this what we are talking about?

Author: VinDSLLocation: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs PostPosted: Sun Jun 06, 2004 9:51 pm    Post subject:

sengsara wrote:
Is this what we are talking about?

Yes! Same church, different pew...

I dunno, the more I think about it; that's a hell of a lot of work to go to for what could best be called a 'non-critical security hole.' LoL! And, I can provide proof of concept. Look at that file list a few posts back. That's just the core files.

This is NOT to say it should be ignored!

Personally, I think the easiest way to handle this 'new, new' security hole is to use the age-old practices documented here:

http://www.karakas-online.de/EN-Book/security-measures.html

Specifically:This 'revealed path' stuff is nothing new. This 'new security hole' been around ever since PHP-Nuke was spawned.

I suppose it could be argued that someone should have taken care of this 4 years ago, but I think there were bigger fish to fry, so to speak. As a matter of fact, I'll bet you a dime to a dollar that 99.999% of all Nuke sites still haven't done 1 of those things... you know what I mean? Rolling Eyes

Author: alexm PostPosted: Mon Jun 07, 2004 4:57 am    Post subject:

sengsara wrote:
I've seen something similar inside CPG-Nuke about 5 weeks ago.
Code:
if (!defined('CPG_NUKE')) {
    die ("You can't access this file directly...");
}


Inside admin scripts
Code:
if (!defined('ADMIN_PAGES')) { header('Location: ../../'); exit; }


Is this what we are talking about?


Yep. CPG-Nuke actually has at least two levels of protection against this sort of BS. If you're running CPG-Nuke 8.2a, you can pretty much just sit back and relax. Smile There are some "checks" posted in the security forum on cpgnuke.com that you can do to verify that you are not vulnerable to whatever becomes of this "issue."

...

Author: davwone PostPosted: Mon Jun 07, 2004 10:18 am    Post subject: Re: This new security hole...

Quote:

Add this line at the beginning of most php-nuke script files (except index.php, admin.php, and modules.php files):

Code:
defined('IN_NUKE') or die('You cannot access this file directly');


Then add this single line at the beginning of index.php, admin.php and modules.php:

Code:
define('IN_NUKE', 1);


Well, this need lots of works and tests, thought.
Good luck, and keep your site secure.




Would that include the fortress.php?



Nuke Cops -> Nuke Security

All times are GMT - 8 Hours

Page 1 of 1

Powered by phpBB © 2001,2002 phpBB Group
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.072 Seconds - 272 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
added by Evaders - DO NOT REMOVE
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::