You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 139 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Security flaws in PHPNuke 7.4 [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
maxout
Corporal
Corporal


Joined: Aug 16, 2004
Posts: 64


PostPosted: Wed Sep 08, 2004 7:50 pm Reply with quoteBack to top

One of our members is obsessing with security he post on our forum:
I like to ask professional people if he is right.??

Quote:
Post subject: Security flaws in PHPNuke 7.4

A number of nasty security bugs were found in PHPNuke v7.4, and may still be active in 7.5 involving SQL injection that allows any visitor to:

1) Gain admin access for himself
2) View details on any admin
3) Delete any admin
4) Add a message with arbitrary contents
5) Delete any message

All of the bugs seem to derive from the same injection point, and the current suggested workaround is to edit auth.php, somewhere around line 61, which by default has a line like:

Code:
if ($aid=="" || $pwd=="") {


... and add just before it a line reading:

Code:
$aid = addslashes($aid);


If that true what is the best option to fix this problem?
Thank you for any help.
Find all posts by maxoutView user's profileSend private message
maxout
Corporal
Corporal


Joined: Aug 16, 2004
Posts: 64


PostPosted: Thu Sep 09, 2004 8:10 pm Reply with quoteBack to top

Anyone ?Smile
Find all posts by maxoutView user's profileSend private message
russ
Nuke Cadet
Nuke Cadet


Joined: Sep 29, 2004
Posts: 6


PostPosted: Wed Sep 29, 2004 2:54 pm Reply with quoteBack to top

Yep, that's the awful truth. Have you tried something like CPG-Nuke or Mambo, even Xoops? They are a lot safer, but a bit more challenging
Find all posts by russView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Wed Sep 29, 2004 3:18 pm Reply with quoteBack to top

Security addons such as Admin Secure will prevent such admin attacks. As well, I believe these are fixed in the latest Patched files - http://www.nukefixes.com

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
russ
Nuke Cadet
Nuke Cadet


Joined: Sep 29, 2004
Posts: 6


PostPosted: Wed Sep 29, 2004 3:33 pm Reply with quoteBack to top

Correct, but this does not secure the complete site. Portals like I mentioned above have clean coding, and set the standard for security and even speed
Find all posts by russView user's profileSend private message
chatserv
General
General


Joined: Jan 12, 2003
Posts: 3128

Location: Puerto Rico

PostPosted: Wed Sep 29, 2004 3:53 pm Reply with quoteBack to top

Nothing is 100% secure, if it's in the net it can be attacked. Xoops and Mambo have both been listed in so called security sites, the other one is not yet popular enough to be attacked.

_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
Find all posts by chatservView user's profileSend private messageVisit poster's website
russ
Nuke Cadet
Nuke Cadet


Joined: Sep 29, 2004
Posts: 6


PostPosted: Wed Sep 29, 2004 4:03 pm Reply with quoteBack to top

I agree with you except for what you said about CPG-Nuke. Just by looking at their site, you can tell that it's becoming quite popular, with over 2,000 members and more than 19,000 downloads. That's pretty good for a project that started less than a year ago. It's not that CPG-Nuke hasn't fallen victim to hack attempts, because it has, on cpgnuke.com and on user sites. But so far, nobody has been able to get past...
Find all posts by russView user's profileSend private message
chatserv
General
General


Joined: Jan 12, 2003
Posts: 3128

Location: Puerto Rico

PostPosted: Wed Sep 29, 2004 4:08 pm Reply with quoteBack to top

When it reaches numbers like those on phpnuke.org postnuke.com and others it'll have made it, but yep it's a good fork and has talented people behind it.

_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
Find all posts by chatservView user's profileSend private messageVisit poster's website
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.174 Seconds - 165 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::