You are missing our premiere tool bar navigation system! Register and use it for FREE!


Author: VinDSLLocation: Arizona (USA) Site Admin: Lenon.com Admin: Disipal DesignsPostPosted: Sun Jun 06, 2004 9:51 pm    Post subject:

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 

Author: Tank863Location: PhiladelphiaPostPosted: Sun Jun 06, 2004 6:22 am    Post subject:

@Mindcrime

Would that work the same? I don't know.. as I don't know a whole heck of a lot about PHP right now.

Can someone test it out to see of it does the same?

This fix works that was collaborated on yesterday works..

Author: sengsaraLocation: Batam, Indonesia (an hour boat ride from Singapore) ;)PostPosted: Sun Jun 06, 2004 9:17 pm    Post subject:

I've seen something similar inside CPG-Nuke about 5 weeks ago.
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 206 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - This new security hole... This new security hole...
Goto page Previous  1, 2, 3, 4  :| |:
Nuke Cops -> Nuke Security

Author: Mindcrime PostPosted: Sat Jun 05, 2004 10:24 pm    Post subject: Re: This new security hole...

The define is a good idea, but why not just change PHP_SELF to SCRIPT_NAME as the server variable to be tested?
Am I missing something?
Code:
if (!defined('CPG_NUKE')) {
    die ("You can't access this file directly...");
}


Inside admin scripts
Code:
if (!defined('ADMIN_PAGES')) { header('Location: ../../'); exit; }


Is this what we are talking about?
sengsara wrote:
Is this what we are talking about?

Yes! Same church, different pew...

I dunno, the more I think about it; that's a hell of a lot of work to go to for what could best be called a 'non-critical security hole.' LoL! And, I can provide proof of concept. Look at that file list a few posts back. That's just the core files.

This is NOT to say it should be ignored!

Personally, I think the easiest way to handle this 'new, new' security hole is to use the age-old practices documented here:

http://www.karakas-online.de/EN-Book/security-measures.html

Specifically:This 'revealed path' stuff is nothing new. This 'new security hole' been around ever since PHP-Nuke was spawned.

I suppose it could be argued that someone should have taken care of this 4 years ago, but I think there were bigger fish to fry, so to speak. As a matter of fact, I'll bet you a dime to a dollar that 99.999% of all Nuke sites still haven't done 1 of those things... you know what I mean? Rolling Eyes

Author: alexm PostPosted: Mon Jun 07, 2004 4:57 am    Post subject:

sengsara wrote:
I've seen something similar inside CPG-Nuke about 5 weeks ago.
Code:
if (!defined('CPG_NUKE')) {
    die ("You can't access this file directly...");
}


Inside admin scripts
Code:
if (!defined('ADMIN_PAGES')) { header('Location: ../../'); exit; }


Is this what we are talking about?


Yep. CPG-Nuke actually has at least two levels of protection against this sort of BS. If you're running CPG-Nuke 8.2a, you can pretty much just sit back and relax. Smile There are some "checks" posted in the security forum on cpgnuke.com that you can do to verify that you are not vulnerable to whatever becomes of this "issue."

...

Author: davwone PostPosted: Mon Jun 07, 2004 10:18 am    Post subject: Re: This new security hole...

Quote:

Add this line at the beginning of most php-nuke script files (except index.php, admin.php, and modules.php files):

Code:
defined('IN_NUKE') or die('You cannot access this file directly');


Then add this single line at the beginning of index.php, admin.php and modules.php:

Code:
define('IN_NUKE', 1);


Well, this need lots of works and tests, thought.
Good luck, and keep your site secure.




Would that include the fortress.php?



Nuke Cops -> Nuke Security

All times are GMT - 8 Hours

Goto page Previous  1, 2, 3, 4  :| |:
Page 4 of 4

Powered by phpBB © 2001,2002 phpBB Group
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.039 Seconds - 212 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
added by Evaders - DO NOT REMOVE
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::