You are missing our premiere tool bar navigation system! Register and use it for FREE!


Author: Tank863Location: PhiladelphiaPostPosted: Sat Jun 05, 2004 7:35 am    Post subject:

That is exactly what I received...

I'm not a coding expert... but I am working on trying what waraxe suggested...

http://www.waraxe.us/forum/viewtopic.php?t=96

hopefully someone can come up with a good fix...

Author: Tank863Location: PhiladelphiaPostPosted: Sat Jun 05, 2004 8:19 am    Post subject:

Foxy..

this is what phpBB does..

in their stand alone phpbb

in the common.php they have

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 

Author: Tank863Location: PhiladelphiaPostPosted: Sat Jun 05, 2004 7:10 am    Post subject: Re: This new security hole...

Try this as a proof of concept.

http://www.example.com/modules/News/categories.php/modules.php

change example to your domain..

Author: foxyfemfemLocation: USAPostPosted: Sat Jun 05, 2004 7:26 am    Post subject:

@Tank863
I tried that concept at my website with and without judas' fix suggestion . This is what I received
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 319 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - This new security hole... This new security hole...
Goto page Previous  1, 2, 3, 4  Next  :| |:
Nuke Cops -> Nuke Security

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 5:15 am    Post subject:

VinDSL wrote:
Once again, this is a server administration issue.
I'm on a shared server, my hosting company offer phpnuke via cpanel (meaning alot of their clients utilize phpnuke) and of course I added a link at their forums to nukecops.com for users to come here if they need assistance with phpnuke, should I ask them if this exploit is a threat to us (those on shared server)?
Code:
Warning: main(mainfile.php): failed to open stream: No such file or directory in /home/xxx/public_html/modules/News/categories.php on line 23

Fatal error: main(): Failed opening required 'mainfile.php' (include_path='.:/COMPLETE PATH') in /home/xxx/public_html/modules/News/categories.php on line 23
Um, should I panic now? <standing next to panic button> Confused
Code:

if ( !defined('IN_PHPBB') )
{
   die("Hacking attempt");
}


in the index.php and all other *.php files they have
Code:

define('IN_PHPBB', true);



So what I am suggesting... from waraxe's suggestion...

is something like this in the mainfile.php

Code:


if ( !defined('IN_NUKE') )
{
   die("Hacking attempt");
}


In all other files... ??

Code:

define('IN_NUKE', true);


I am going to test this out and post results...

Tank863

Author: VinDSLLocation: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs PostPosted: Sat Jun 05, 2004 8:29 am    Post subject: Re: This new security hole...

Tank863 wrote:
Try this as a proof of concept.

http://www.example.com/modules/News/categories.php/modules.php

change example to your domain..

Alrighty then... this 'new, new security hole' is quite a different matter!

http://www.waraxe.us/forum/viewtopic.php?t=96

Your proof of concept example reveals full path info which makes it much easier to hack a site then having to work in the blind. This is NOT a good thing! It makes the perps job a lot easier.

Time to put the 'thinking caps' on... Wink

Author: Tank863Location: Philadelphia PostPosted: Sat Jun 05, 2004 9:19 am    Post subject:

Not working... as I hoped Sad

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 9:35 am    Post subject:

Okay, it's time for me to sound the alarm <panic attack> Shocked .. Now where are all those security coders? Is there a security script available that will stop this? How about a temp .htaccess file to deny access until a fix is produced? Or a small sniplet in mainfile.php?

Last edited by foxyfemfem on Sat Jun 05, 2004 9:38 am; edited 1 time in total

Author: Tank863Location: Philadelphia PostPosted: Sat Jun 05, 2004 9:37 am    Post subject:

Maybe... I didn't look at the phpbb files long enough.. they may include other lines that I need to add in for protection..

like a file called extension.inc and have a particluar file call on this extension.inc... hmm

again.. I am not a hard core coder.. I am learning as I go along...

Author: Tank863Location: Philadelphia PostPosted: Sat Jun 05, 2004 9:42 am    Post subject:

I wouldn't sound the alarm quite yet..

http://ravenphpscripts.com/postp12835.html#12835

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 9:47 am    Post subject:

How about someone produce a script like this...

nukeauth.php - This script is placed at the top of every page you want to protect. It checks the user's ID and session details against the database and if the details don't match a current valid session, the browser is redirected to access denied page or something similar.

Author: foxyfemfemLocation: USA PostPosted: Sat Jun 05, 2004 9:56 am    Post subject:

yipee woohoo, I can step away from the panic button. <blow Raven a kiss from across the river> .. Thanks sweetie, now I will patiently sit back and wait on you to turn that blank screen into a "get the devil land off my website" message Mr. Green

Author: Tank863Location: Philadelphia PostPosted: Sat Jun 05, 2004 10:02 am    Post subject:

Also.. from madman and waraxe

http://www.waraxe.us/forum/viewtopic.php?t=100

Author: Raptor1Location: Conway SC PostPosted: Sat Jun 05, 2004 10:12 am    Post subject: Re: This new security hole...

I'm not on a shared server so thr's no need for me to worry?

Author: telli PostPosted: Sat Jun 05, 2004 10:35 am    Post subject: Re: This new security hole...

Here is a fix for it. Thank Tank and waraxe for the idea.

Open your mainfile.php right after the <?php place this:

Code:

//In Nuke Check by Telli http://codezwiz.com/
//Idea taken from Tank863 & Waraxe
define ('IN_NUKE',1);


Open your files that are in need of the patch I believe the security focus has the list and find this code:

Code:
if (!eregi("modules.php", $_SERVER['PHP_SELF'])) {
    die ("You can't access this file directly...");
}


Under that place this:

Code:

//In Nuke Check by Telli http://codezwiz.com/
//Idea taken from Tank863 & Waraxe
if ( !defined('IN_NUKE') )
{
        die("Hacking attempt");
}


You will also to need to make sure that there is a include of the mainfile.php many add-ons do not have it so it may have to be added. In that case just add this code:

Code:
require_once("mainfile.php");


Right after the new code you added so it will look like this:

Code:
//In Nuke Check by Telli http://codezwiz.com/
//Idea taken from Tank863 & Waraxe
if ( !defined('IN_NUKE') )
{
        die("Hacking attempt");
}
require_once("mainfile.php");


And it will block them.

http://www.codezwiz.com/modules/News/categories.php/modules.php


Last edited by telli on Sat Jun 05, 2004 11:02 am; edited 1 time in total



Nuke Cops -> Nuke Security

All times are GMT - 8 Hours

Goto page Previous  1, 2, 3, 4  Next  :| |:
Page 2 of 4

Powered by phpBB © 2001,2002 phpBB Group
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.039 Seconds - 588 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
added by Evaders - DO NOT REMOVE
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::