You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 190 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - This new security hole... [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
Mindcrime
Nuke Cadet
Nuke Cadet


Joined: Jun 06, 2004
Posts: 3


PostPosted: Sat Jun 05, 2004 10:24 pm Reply with quoteBack to top

The define is a good idea, but why not just change PHP_SELF to SCRIPT_NAME as the server variable to be tested?
Am I missing something?
Find all posts by MindcrimeView user's profileSend private message
Tank863
Lieutenant
Lieutenant


Joined: Feb 21, 2003
Posts: 195

Location: Philadelphia

PostPosted: Sun Jun 06, 2004 6:22 am Reply with quoteBack to top

@Mindcrime

Would that work the same? I don't know.. as I don't know a whole heck of a lot about PHP right now.

Can someone test it out to see of it does the same?

This fix works that was collaborated on yesterday works..
Find all posts by Tank863View user's profileSend private messageVisit poster's websiteICQ Number
sengsara
Support Staff
Support Staff


Joined: Sep 18, 2003
Posts: 289

Location: Batam, Indonesia (an hour boat ride from Singapore) ;)

PostPosted: Sun Jun 06, 2004 9:17 pm Reply with quoteBack to top

I've seen something similar inside CPG-Nuke about 5 weeks ago.
Code:
if (!defined('CPG_NUKE')) {
    die ("You can't access this file directly...");
}


Inside admin scripts
Code:
if (!defined('ADMIN_PAGES')) { header('Location: ../../'); exit; }


Is this what we are talking about?
Find all posts by sengsaraView user's profileSend private messageSend e-mailVisit poster's website
VinDSL
Site Admin
Site Admin


Joined: Jul 08, 2003
Posts: 1193

Location: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs

PostPosted: Sun Jun 06, 2004 9:51 pm Reply with quoteBack to top

sengsara wrote:
Is this what we are talking about?

Yes! Same church, different pew...

I dunno, the more I think about it; that's a hell of a lot of work to go to for what could best be called a 'non-critical security hole.' LoL! And, I can provide proof of concept. Look at that file list a few posts back. That's just the core files.

This is NOT to say it should be ignored!

Personally, I think the easiest way to handle this 'new, new' security hole is to use the age-old practices documented here:

http://www.karakas-online.de/EN-Book/security-measures.html

Specifically:
  • Turn your 'globals' off in 'php.ini' or '.htaccess'. "PHP-Nuke now works with register_globals set to OFF!" (since version 5.x)

  • Turn your 'display_errors' off in 'php.ini' or '.htaccess'. "Use PHP's error handling functions to disable error reporting or alter the handling."

  • Security Tip (from the PHP-Nuke INSTALL file)... Put your 'config.php' file outside the web server path.
This 'revealed path' stuff is nothing new. This 'new security hole' been around ever since PHP-Nuke was spawned.

I suppose it could be argued that someone should have taken care of this 4 years ago, but I think there were bigger fish to fry, so to speak. As a matter of fact, I'll bet you a dime to a dollar that 99.999% of all Nuke sites still haven't done 1 of those things... you know what I mean? Rolling Eyes

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::.
Find all posts by VinDSLView user's profileSend private messageVisit poster's websiteICQ Number
alexm
Nuke Soldier
Nuke Soldier


Joined: Dec 23, 2003
Posts: 19


PostPosted: Mon Jun 07, 2004 4:57 am Reply with quoteBack to top

sengsara wrote:
I've seen something similar inside CPG-Nuke about 5 weeks ago.
Code:
if (!defined('CPG_NUKE')) {
    die ("You can't access this file directly...");
}


Inside admin scripts
Code:
if (!defined('ADMIN_PAGES')) { header('Location: ../../'); exit; }


Is this what we are talking about?


Yep. CPG-Nuke actually has at least two levels of protection against this sort of BS. If you're running CPG-Nuke 8.2a, you can pretty much just sit back and relax. Smile There are some "checks" posted in the security forum on cpgnuke.com that you can do to verify that you are not vulnerable to whatever becomes of this "issue."

...
Find all posts by alexmView user's profileSend private message
davwone
Nuke Cadet
Nuke Cadet


Joined: Apr 04, 2004
Posts: 5


PostPosted: Mon Jun 07, 2004 10:18 am Reply with quoteBack to top

Quote:

Add this line at the beginning of most php-nuke script files (except index.php, admin.php, and modules.php files):

Code:
defined('IN_NUKE') or die('You cannot access this file directly');


Then add this single line at the beginning of index.php, admin.php and modules.php:

Code:
define('IN_NUKE', 1);


Well, this need lots of works and tests, thought.
Good luck, and keep your site secure.




Would that include the fortress.php?
Find all posts by davwoneView user's profileSend private message
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.038 Seconds - 441 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::