You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 188 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - This new security hole... [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
foxyfemfem
Support Staff
Support Staff


Joined: Jan 23, 2003
Posts: 668

Location: USA

PostPosted: Sat Jun 05, 2004 11:00 am Reply with quoteBack to top

Thanks Telli. <looking at the list of files that need to be patch> wow! that's approximately every file.

_________________
If you shoot for the moon and miss, you'll still be amongst the stars.
Find all posts by foxyfemfemView user's profileSend private message
telli
Support Mod
Support Mod


Joined: Aug 21, 2003
Posts: 335


PostPosted: Sat Jun 05, 2004 11:06 am Reply with quoteBack to top

Its just one proposed fix that works solid. Maybe there are others that won't require you to get into changing so much of the code. Or maybe they will actually include something like this in the next fix distro or Nuke distro.

_________________
[img]http://www.codezwiz.com/extern.php?get=sig[/img]
http://www.codezwiz.com
PHPNuke Themes
$3.99 500 MB Storage & 20 GIG Trans w/ NO limit MYSQL
Click Me
Find all posts by telliView user's profileSend private message
Tank863
Lieutenant
Lieutenant


Joined: Feb 21, 2003
Posts: 195

Location: Philadelphia

PostPosted: Sat Jun 05, 2004 11:26 am Reply with quoteBack to top

@Telli...

What you made up seems to be inline with what waraxe suggested....

seems that I had it arse backwards Wink

again.. I'm not a die hard coder.. (yet) but I was advised that:

All blocks and/or modules and/or add-ons do not call mainfile.php, nor do they necessarily have to.

I will apply this and test it out.... but your 'patch' does work as your link showed...

Tank863
Find all posts by Tank863View user's profileSend private messageVisit poster's websiteICQ Number
foxyfemfem
Support Staff
Support Staff


Joined: Jan 23, 2003
Posts: 668

Location: USA

PostPosted: Sat Jun 05, 2004 11:30 am Reply with quoteBack to top

telli wrote:
Or maybe they will actually include something like this in the next fix distro or Nuke distro.
That's a joke right? If not, I'm LMAO reading that one. Have you notice the last version (7.3) changelog? All fixes were those of chatserv and others, um do you think 7.4 will be any different? Laughing I'll wait on a fix from here (nukecop) or there (raven's site) before I cash in my money on 7.4 (no pun intended FB) I'm just calling it like I see it Mr. Green

_________________
If you shoot for the moon and miss, you'll still be amongst the stars.
Find all posts by foxyfemfemView user's profileSend private message
telli
Support Mod
Support Mod


Joined: Aug 21, 2003
Posts: 335


PostPosted: Sat Jun 05, 2004 11:36 am Reply with quoteBack to top

All blocks and/or modules and/or add-ons do not call mainfile.php, nor do they necessarily have to.

I updated the fix on the previous page to show what to do in that case.

Very true Foxy, very unfortunate but very true.

_________________
[img]http://www.codezwiz.com/extern.php?get=sig[/img]
http://www.codezwiz.com
PHPNuke Themes
$3.99 500 MB Storage & 20 GIG Trans w/ NO limit MYSQL
Click Me
Find all posts by telliView user's profileSend private message
Tank863
Lieutenant
Lieutenant


Joined: Feb 21, 2003
Posts: 195

Location: Philadelphia

PostPosted: Sat Jun 05, 2004 12:16 pm Reply with quoteBack to top

Here is a list of the files...

Code:

Affected Files:
--------------
Although an effort was made to identify all affected files (~160 total of
which ~28 have no security check), we leave it up to the developers/users
to do their own verification to ensure no files were inadvertently missed.

Note 1 --> /admin/case/case.adminfaq.php
Note 1 --> /admin/case/case.authors.php
Note 1 --> /admin/case/case.backup.php
Note 1 --> /admin/case/case.banners.php
Note 1 --> /admin/case/case.blocks.php
Note 1 --> /admin/case/case.comments.php
Note 1 --> /admin/case/case.content.php
Note 1 --> /admin/case/case.download.php
Note 1 --> /admin/case/case.encyclopedia.php
Note 1 --> /admin/case/case.ephemerids.php
Note 1 --> /admin/case/case.forums.php
Note 1 --> /admin/case/case.groups.php
Note 1 --> /admin/case/case.links.php
Note 1 --> /admin/case/case.messages.php
Note 1 --> /admin/case/case.modules.php
Note 1 --> /admin/case/case.newsletter.php
Note 1 --> /admin/case/case.optimize.php
Note 1 --> /admin/case/case.polls.php
Note 1 --> /admin/case/case.referers.php
Note 1 --> /admin/case/case.reviews.php
Note 1 --> /admin/case/case.sections.php
Note 1 --> /admin/case/case.settings.php
Note 1 --> /admin/case/case.stories.php
Note 1 --> /admin/case/case.topics.php
Note 1 --> /admin/case/case.tracking.php
Note 1 --> /admin/case/case.users.php
Note 2 --> /admin/links/links.addstory.php
Note 2 --> /admin/links/links.backup.php
Note 2 --> /admin/links/links.banners.php
Note 2 --> /admin/links/links.blocks.php
Note 2 --> /admin/links/links.content.php
Note 2 --> /admin/links/links.download.php
Note 2 --> /admin/links/links.editadmins.php
Note 2 --> /admin/links/links.editusers.php
Note 2 --> /admin/links/links.encyclopedia.php
Note 2 --> /admin/links/links.ephemerids.php
Note 2 --> /admin/links/links.faq.php
Note 2 --> /admin/links/links.forums.php
Note 2 --> /admin/links/links.groups.php
Note 2 --> /admin/links/links.httpreferers.php
Note 2 --> /admin/links/links.messages.php
Note 2 --> /admin/links/links.modules.php
Note 2 --> /admin/links/links.newsletter.php
Note 2 --> /admin/links/links.optimize.php
Note 2 --> /admin/links/links.reviews.php
Note 2 --> /admin/links/links.sections.php
Note 2 --> /admin/links/links.settings.php
Note 2 --> /admin/links/links.submissions.php
Note 2 --> /admin/links/links.surveys.php
Note 2 --> /admin/links/links.topics.php
Note 2 --> /admin/links/links.tracking.php
Note 2 --> /admin/links/links.weblinks.php
Note 3 --> /admin/modules/adminfaq.php
Note 3 --> /admin/modules/authors.php
Note 3 --> /admin/modules/backup.php
Note 3 --> /admin/modules/banners.php
Note 3 --> /admin/modules/blocks.php
Note 3 --> /admin/modules/comments.php
Note 3 --> /admin/modules/content.php
Note 3 --> /admin/modules/download.php
Note 3 --> /admin/modules/encyclopedia.php
Note 3 --> /admin/modules/ephemerids.php
Note 3 --> /admin/modules/forums.php
Note 3 --> /admin/modules/groups.php
Note 3 --> /admin/modules/links.php
Note 3 --> /admin/modules/messages.php
Note 3 --> /admin/modules/modules.php
Note 3 --> /admin/modules/newsletter.php
Note 3 --> /admin/modules/optimize.php
Note 3 --> /admin/modules/polls.php
Note 3 --> /admin/modules/referers.php
Note 3 --> /admin/modules/reviews.php
Note 3 --> /admin/modules/sections.php
Note 3 --> /admin/modules/settings.php
Note 3 --> /admin/modules/stories.php
Note 3 --> /admin/modules/topics.php
Note 3 --> /admin/modules/tracking.php
Note 3 --> /admin/modules/users.php
Note 4 --> /db/db.php
Note 1 --> /modules/AvantGo/index.php
Note 1 --> /modules/AvantGo/print.php
Note 1 --> /modules/Bookmarks/del_cat.php
Note 1 --> /modules/Bookmarks/del_mark.php
Note 5 --> /modules/Bookmarks/edit_cat.php
Note 5 --> /modules/Bookmarks/edit_mark.php
Note 1 --> /modules/Bookmarks/index.php
Note 1 --> /modules/Bookmarks/marks.php
Note 5 --> /modules/Bookmarks/uploadbookmarks.php
Note 1 --> /modules/Content/index.php
Note 1 --> /modules/Downloads/index.php
Note 6 --> /modules/Downloads/voteinclude.php
Note 1 --> /modules/Encyclopedia/index.php
Note 1 --> /modules/Encyclopedia/search.php
Note 1 --> /modules/FAQ/index.php
Note 1 --> /modules/Feedback/index.php
Note 1 --> /modules/Forums/buddylist.php
Note 1 --> /modules/Forums/faq.php
Note 1 --> /modules/Forums/groupcp.php
Note 1 --> /modules/Forums/ignore.php
Note 1 --> /modules/Forums/index.php
Note 1 --> /modules/Forums/login.php
Note 1 --> /modules/Forums/modcp.php
Note 1 --> /modules/Forums/nukebb.php
Note 1 --> /modules/Forums/posting.php
Note 1 --> /modules/Forums/profile.php
Note 1 --> /modules/Forums/ranks.php
Note 1 --> /modules/Forums/search.php
Note 1 --> /modules/Forums/staff.php
Note 1 --> /modules/Forums/topics.php
Note 1 --> /modules/Forums/viewforum.php
Note 1 --> /modules/Forums/viewonline.php
Note 1 --> /modules/Forums/viewtopic.php
Note 1 --> /modules/Journal/add.php
Note 1 --> /modules/Journal/comment.php
Note 1 --> /modules/Journal/commentkill.php
Note 1 --> /modules/Journal/commentsave.php
Note 1 --> /modules/Journal/delete.php
Note 1 --> /modules/Journal/deleteyes.php
Note 1 --> /modules/Journal/display.php
Note 1 --> /modules/Journal/edit.php
Note 1 --> /modules/Journal/friend.php
Note 1 --> /modules/Journal/functions.php
Note 1 --> /modules/Journal/index.php
Note 1 --> /modules/Journal/modify.php
Note 1 --> /modules/Journal/savenew.php
Note 1 --> /modules/Journal/search.php
Note 1 --> /modules/Members_List/index.php
Note 1 --> /modules/News/allindex.php
Note 1 --> /modules/News/article.php
Note 1 --> /modules/News/associates.php
Note 1 --> /modules/News/categories.php
Note 1 --> /modules/News/comments.php
Note 1 --> /modules/News/friend.php
Note 1 --> /modules/News/index.php
Note 1 --> /modules/News/print.php
Note 3 --> /modules/Private_Messages/index.php
Note 1 --> /modules/Recommend_Us/index.php
Note 1 --> /modules/Resend_Email/index.php
Note 1 --> /modules/Reviews/index.php
Note 1 --> /modules/Search/index.php
Note 1 --> /modules/Sections/index.php
Note 1 --> /modules/Statistics/index.php
Note 1 --> /modules/Stories_Archive/index.php
Note 1 --> /modules/Submit_News/index.php
Note 1 --> /modules/Surveys/comments.php
Note 1 --> /modules/Surveys/index.php
Note 1 --> /modules/Top/index.php
Note 1 --> /modules/Topics/index.php
Note 1 --> /modules/Web_Links/index.php
Note 6 --> /modules/Web_Links/voteinclude.php
Note 1 --> /modules/Web_Links/class.rc4crypt.php
Note 1 --> /modules/Web_Links/compose.php
Note 1 --> /modules/Web_Links/inbox.php
Note 1 --> /modules/Web_Links/index.php
Note 1 --> /modules/Web_Links/mailheader.php
Note 1 --> /modules/Web_Links/nlmail.php
Note 1 --> /modules/Web_Links/readmail.php
Note 1 --> /modules/Web_Links/settings.php
Note 1 --> /modules/Your_Account/index.php
Note 2 --> /modules/Your_Account/navbar.php



@telli

Do I need to add the
Code:
require_once("mainfile.php");
to the /admin/case/*.php files?
Find all posts by Tank863View user's profileSend private messageVisit poster's websiteICQ Number
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Sat Jun 05, 2004 12:43 pm Reply with quoteBack to top

If your server running with apache and allow you to use .htaccess (AllowOverride is ALL in .conf file), you can put this .htaccess in phpnuke root dir:

Code:
<FilesMatch "\.(asp|bin|c|cgi|class|conf|h|htaccess|ihtml?|inc|ini|pl|sql|tpl|txt)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

<FilesMatch "(auth|banners|config|footer|header|mainfile)\.php$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

<LimitExcept GET PUT POST>
  Order Allow,Deny
  Deny from all
</LimitExcept>


To protect nuke subdirs, read my post at http://www.nukecops.com/postp129926.html

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
telli
Support Mod
Support Mod


Joined: Aug 21, 2003
Posts: 335


PostPosted: Sat Jun 05, 2004 12:58 pm Reply with quoteBack to top

Yes Tank.

_________________
[img]http://www.codezwiz.com/extern.php?get=sig[/img]
http://www.codezwiz.com
PHPNuke Themes
$3.99 500 MB Storage & 20 GIG Trans w/ NO limit MYSQL
Click Me
Find all posts by telliView user's profileSend private message
foxyfemfem
Support Staff
Support Staff


Joined: Jan 23, 2003
Posts: 668

Location: USA

PostPosted: Sat Jun 05, 2004 12:59 pm Reply with quoteBack to top

@madman
Will this protect all files involved? I will take a look at your sub domain topic since I do utilize other php programs in my sub domains.

_________________
If you shoot for the moon and miss, you'll still be amongst the stars.
Find all posts by foxyfemfemView user's profileSend private message
foxyfemfem
Support Staff
Support Staff


Joined: Jan 23, 2003
Posts: 668

Location: USA

PostPosted: Sat Jun 05, 2004 1:11 pm Reply with quoteBack to top

Hello,

This code here .. <FilesMatch "(auth|banners|config|footer|header|mainfile)\.php$">

Do I need to include.... |theme|module|?

What's the difference in... ihtml & ihtml?

_________________
If you shoot for the moon and miss, you'll still be amongst the stars.
Find all posts by foxyfemfemView user's profileSend private message
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Sat Jun 05, 2004 1:25 pm Reply with quoteBack to top

foxyfemfem wrote:
@madman
Will this protect all files involved? I will take a look at your sub domain topic since I do utilize other php programs in my sub domains.


It's about phpnukenuke subdirs (sub directories), not subdomains. Smile
The .htaccess file above will protect these files in phpnuke root directory from direct execution:

auth.php
banners.php
config.php
footer.php
header.php
mainfile.php

For example, running this URL: http://foo.bar/mainfile.php will send forbidden server response. Because this topic also talking about running mainfile.php from the same server using remote file wrapper (allow_url_fopen in php.ini), the .htaccess file will also restrict such access because the request (e.g. from include(), require(), fopen() construct functions) is from http methods (GET,PUT,POST) and not from local file access system.

If you running more than one subdomains, you don't have to worry if those subdomains pointing to the same path, e.g.

sub1.foo.bar -> /vhosts/username/httpdocs/nuke/
sub2.foo.bar -> /vhosts/username/httpdocs/nuke/
sub3.foo.bar -> /vhosts/username/httpdocs/nuke/

If you running subdomains where path mapping are different:

sub1.foo.bar -> /vhosts/username/httpdocs/main/
sub2.foo.bar -> /vhosts/username/httpdocs/main/nuke/
sub3.foo.bar -> /vhosts/username/httpdocs/main/nuke/nuke2/

Then you'll have to put .htaccess file like these:

/vhosts/username/httpdocs/main/.htaccess
/vhosts/username/httpdocs/main/nuke/.htaccess
/vhosts/username/httpdocs/main/nuke/nuke2/.htaccess

Hope this help.

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Sat Jun 05, 2004 1:31 pm Reply with quoteBack to top

foxyfemfem wrote:
Hello,
This code here .. <FilesMatch "(auth|banners|config|footer|header|mainfile)\.php$">
Do I need to include.... |theme|module|?


If you have files called theme.php and module.php in phpnuke root directory, you can add them to your statement above. But do not protect modules.php because it's required to be called directly.

foxyfemfem wrote:
What's the difference in... ihtml & ihtml?


ihtml only check any matching files with .ihtml extension while ihtml? will check both .ihtm and .ihtml extensions.

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
foxyfemfem
Support Staff
Support Staff


Joined: Jan 23, 2003
Posts: 668

Location: USA

PostPosted: Sat Jun 05, 2004 1:36 pm Reply with quoteBack to top

Thanks Madman, now let me see if I understand exactly what you're saying.

phpnuke is in my root director www.example.com
whereas I have subdomain.example.com (other php programs)... Here's my understand and of course I did this as well... I added the .htaccess file to my root directory as well as all of my other sub domains. Therefore, am I able to sleep at night now, well at least tonight? Laughing

_________________
If you shoot for the moon and miss, you'll still be amongst the stars.
Find all posts by foxyfemfemView user's profileSend private message
Raptor1
Sergeant
Sergeant


Joined: Oct 06, 2003
Posts: 85

Location: Conway SC

PostPosted: Sat Jun 05, 2004 1:40 pm Reply with quoteBack to top

Plz tell me that if I am not sharing a server that I don't need to do this. I just spent the last 2 1/2 weeks updating everything on my site, adding all the security patchs, modules, scripts. I know it's a ongoing and learning process, but a I affect by this too?

_________________
Knowledge is not gained by just learning, but by teaching those that do not understand. Learning is something we all do without knowing, while gaining knowledge to understand. Wisdom is reserved for others, not you. Understand?
Find all posts by Raptor1View user's profileSend private messageSend e-mailVisit poster's websiteAIM AddressYahoo MessengerMSN MessengerICQ Number
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Sat Jun 05, 2004 2:19 pm Reply with quoteBack to top

foxyfemfem wrote:
phpnuke is in my root director www.example.com
whereas I have subdomain.example.com (other php programs)... Here's my understand and of course I did this as well... I added the .htaccess file to my root directory as well as all of my other sub domains. Therefore, am I able to sleep at night now, well at least tonight? Laughing


If your another subdomain isn't running with phpnuke, you can remove these lines from .htaccess file that was given above:

Code:
<FilesMatch "(auth|banners|config|footer|header|mainfile)\.php$">
  Order Allow,Deny
  Deny from all
</FilesMatch>


These line only essential to phpnuke, and may causing problems if you running different program/scripts which has the same filename.

Raptor1 wrote:
Plz tell me that if I am not sharing a server that I don't need to do this. I just spent the last 2 1/2 weeks updating everything on my site, adding all the security patchs, modules, scripts. I know it's a ongoing and learning process, but a I affect by this too?


You still can put .htaccess file above into your phpnuke root directory (directory which held mainfile.php file). This .htaccess file require AllowOverride All setting in apache *.conf file, and apache mod_access module must be enable (in most cases, this is already enabled by default). If don't, you can enabling this module from your Apache main .conf file.

To test whether your Apache configuration accepting .htaccess setting like this, try to direct execute to mainfile.php, e.g.:

http://foo.bar/mainfile.php

Successfull only and only if you get "forbidden" page.
However, it still advisable to use tips that was discussed before, by adding constant checking as replacement of eregi..$_SERVER['.PHP_SELF'] checking code.

Add this line at the beginning of most php-nuke script files (except index.php, admin.php, and modules.php files):

Code:
defined('IN_NUKE') or die('You cannot access this file directly');


Then add this single line at the beginning of index.php, admin.php and modules.php:

Code:
define('IN_NUKE', 1);


Well, this need lots of works and tests, thought.
Good luck, and keep your site secure. Smile

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.121 Seconds - 179 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::