All that file is used for, is for the custom pages... It's not used for any of my modules or anything...
I have 3 of them in my downloads area: About Us, Privacy, and Disclaimer. I don't use the viewpage.php file on my site, as I added them to the downloads long ago... and converted my own about, privacy, and disclaimer, by just using the header and footer... The viewpage file does just add the nuke stuff, like header, footer, and so on. If you want to see what I'm talking about, you can download a custom page with the file included. That is how I have it working.
If there is a security problem, I will delete them immediatly, post on some sites, and just convert them to the way I have it... Greatly appreciate any help.
Thanks,
Shawn
NukeStyles Nuke Soldier
Joined: Feb 10, 2003
Posts: 20
Location: USA
Posted:
Wed Mar 26, 2003 7:33 am
chatserv,
I just noticed what you said about me categorizing something as a nuke problem! I NEVER did that! Omg... I just noticed this forum post, by sifting through my http referrers in the admin on my site, so I checked to see what it was about... I would never do something like that, or blame FB or Nuke as the problem...
I just try to make nuke and my scripts better looking and more user friendly... So please don't think I said it was nuke or fb's fault. That is absoluetly untrue. And I don't claim to be a super coder, or perfect for that matter... I use whatever security that is built into nuke, and just add the same stuff to my scripts... So if there is a security issue, I wait for the big boys to post a fix. Still learning php... and sorry for this issue as a whole.. I would never has released something if I thought it would cause peoples sites to get hacked by some idiot.
Shawn
sixonetonoffun Major
Joined: Jan 13, 2003
Posts: 892
Posted:
Wed Mar 26, 2003 8:03 am
The problem with viewpage.php is real. It can be used to open anyfile as it is. You should limit it to the exact file you need to open. In the case of contacts plus this is about.php
Just hard code the filename and filter out any scripts that can be used to change the filename or include another.
You could use switch case and do it all in one file and get rid of the include completely.
They way I read chatservs post was he wasn't blaming you for saying anything about it being a nuke problem. The "them" he was referring to in his post was BugTraq, the people who originally posted this as a Nuke related bug.
I don't think anyone here, especially chatserv, is going to try to dis an addon developer for trying thier best to make new and exciting additions for Nuke!
If you try to use viewpage.php file to include say the modules.php file, the modules.php will then deny you access to it from it's own protection... right? Or no?
The modules.php file DOES exsist, so the viewpage.php file DOES try to include it... but then the nuke security for that particular file, will then take over... if it's accessed from something else, like the viewpage.php file...
Am I way off??
Shawn
Daniel-cmw Site Admin
Joined: Mar 02, 2003
Posts: 1662
Location: The UK!
Posted:
Wed Mar 26, 2003 9:01 am
so far i am yet to find a real hole here, i agree with NukeStyles, everytime you try to read config.php you get a normal nuke site, viewing the modules.php you get the normal warning.
Anyone got a REAL working link to prove that this hole does exist?
chatserv General
Joined: Jan 12, 2003
Posts: 3128
Location: Puerto Rico
Posted:
Wed Mar 26, 2003 9:12 am
NukeStyles, first off like Cyberclark said, i would never put down any coder for any reason whatsoever, i was simply stating that if BugTrack was saying this was caused by a PHP-Nuke default file they would be making an injustice to Nuke and FB, God forbid me from putting down anyone's hard work, as for the code, you should implement the alternate method you mention having.
_________________ Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
Last edited by chatserv on Wed Mar 26, 2003 9:13 am; edited 1 time in total
sixonetonoffun Major
Joined: Jan 13, 2003
Posts: 892
Posted:
Wed Mar 26, 2003 9:12 am
Ok NukeStyles is right nuke files are protected. But not nuke files wouldn't be. As for proof concept remember the NukeBrowser problems?
Simple proof upload a html file with anything in it.and use viewpage.php to open it.
The published exploit was /viewpage.php?file=/etc/passwd
I'm not ripping NukeStyles efforts here at all. More experienced coders have made the same errors. Like I said remember NukeBrowser. Even the early versions of PHPNuke itself.
Ahh, chatserv... I just figured it was directed towards me, as your opening statement said:
"Without trying to make any bad comments about NukeStyle's scripts i find it unfair for them to categorize this as a PHP-Nuke problem..."
It sounded as if it was directly stated to me... Cool... it wasn't... Anyhow... enuff about that silly stuff....
I have one more question for this then....
If I take out the viewpage.php file... and just use a regular about.php file, with the header, footer, ect... so it fits into the nuke site... How do I protect that one file, if it's in the main directory?
Say the About Us file... you have to access it directly, in able to view it. So without the viewpage.php protection, what other way is there to protect a file, in the main directory, that HAS to be able to be viewed directly... or is this impossible?
Sorry for all the questions... just want to be sure about this, so I don't get myself and everyone using it, in trouble...
Shawn
Raven General
Joined: Mar 22, 2003
Posts: 5233
Location: USA
Posted:
Wed Mar 26, 2003 11:51 am
Daniel-cmw wrote:
so far i am yet to find a real hole here, i agree with NukeStyles, everytime you try to read config.php you get a normal nuke site, viewing the modules.php you get the normal warning.
Anyone got a REAL working link to prove that this hole does exist?
It IS a real hole as I originally reported. See my original post on the first page --> Posted: Tue Mar 25, 2003 4:59 pm Post subject:
Raven
sixonetonoffun Major
Joined: Jan 13, 2003
Posts: 892
Posted:
Wed Mar 26, 2003 12:05 pm
Why not just make it a regular nuke module. Like has posted here and other places. Its not hard to do. Then include a file say about.htm.
Then all the nuke built in filters will also be applied. Though it wouldn't hurt to at least use strip_tags on the include. At least thats what I think.
Yeah... I should go ahead and make it a module... may as well, seeing all the problems with that one stupid file.
And I know it's a real problem... I was informed on my site as well, and checked a link... and sure enuff, it showed everything about my site... Like the viewpage.php?file=ect/pass/ or something... So I deleted it from my site, and posted a notice about it.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
