Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
SmackDaddy
Involved
Involved


Joined: Jun 02, 2004
Posts: 268
Location: Englewood, OH

PostPosted: Tue Jun 08, 2004 6:54 am Reply with quote

After applying the Sec-Fix 7.3 update(s), I now get the following error message when going to my site:

You can't access this file directly...

What went wrong and how do I fix it?
 
View user's profile Send private message Send e-mail Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Tue Jun 08, 2004 7:18 am Reply with quote

Restore from your backups and Chat will respond, I'm sure.
 
View user's profile Send private message
SmackDaddy
PostPosted: Tue Jun 08, 2004 7:52 am Reply with quote

In restoring my site, I kept refreshing until I could get the index.php to show and the problem seemed to be with the module "News"....
 
porcupinepc
Involved
Involved


Joined: Sep 20, 2003
Posts: 261
Location: Schumacher, Ontario CANADA

PostPosted: Tue Jun 08, 2004 8:04 am Reply with quote

I too had problems after installing this update. My site was toast. All i did was delete the News module and install a fresh one. Now the only problem i see is the Sentinel module.

Here's what shows:

· 202.156.2.114 - _AB_REASON1A

--------------------------------------------------------------------------------

_AB_ABUSEBLOCKER 1.2.0

It looks to be language module?

Joe
 
View user's profile Send private message Send e-mail Visit poster's website ICQ Number
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Tue Jun 08, 2004 8:09 am Reply with quote

Checking into this, i'll post shortly
 
View user's profile Send private message Visit poster's website
SmackDaddy
PostPosted: Tue Jun 08, 2004 8:09 am Reply with quote

In doing a check of the files between 7.3 (unpatched) and sec-fix 7.3, I noticed the following:

comments.php didn't have the following code, and now it does:

Code:


if (!eregi("modules.php", $_SERVER['SCRIPT_NAME'])) {
   die ("You can't access this file directly...");
}


Maybe comments.php shouldn't have that code added?
 
chatserv
PostPosted: Tue Jun 08, 2004 8:17 am Reply with quote

It seems i need to apply some more fixes after looking at a security report given to me by Raven (yes, school's out) regarding the issue discussed here upload all modules except the one you have set as the home module which most likely will be the News module. You can upload all of its files except its index.php file, the module one sets as home module does not get modules.php passed through its url hence the you can't access this file directly.
 
SmackDaddy
PostPosted: Tue Jun 08, 2004 8:22 am Reply with quote

So if News is the main module on our front page, then upload everything except for modules/News/index.php ?!? Is that correct?
 
chatserv
PostPosted: Tue Jun 08, 2004 8:29 am Reply with quote

Exactly
 
porcupinepc
PostPosted: Tue Jun 08, 2004 9:25 am Reply with quote

chatserv

My language file is ok now. Somehow it got overwritten. My mistake. Ive also upgraded with the above fixes and did like you mentioned. Upload everything except modules/news/index.php

System seems AOK

Joe
Only registered users can see links on this board! Get registered or login!
 
chatserv
PostPosted: Tue Jun 08, 2004 9:32 am Reply with quote

The Forum files were removed from the patch, they were not required.
 
SmackDaddy
PostPosted: Tue Jun 08, 2004 9:54 am Reply with quote

porcupinepc wrote:
chatserv

My language file is ok now. Somehow it got overwritten. My mistake. Ive also upgraded with the above fixes and did like you mentioned. Upload everything except modules/news/index.php

System seems AOK

Joe
Only registered users can see links on this board! Get registered or login!


Confirming the same as Porcupinepc.....
Only registered users can see links on this board! Get registered or login!

Thanks for your quick response Chatserv!
 
chatserv
PostPosted: Tue Jun 08, 2004 10:32 am Reply with quote

Question though, why did your lang file get replaced? the patch does not include any language files.
 
porcupinepc
PostPosted: Tue Jun 08, 2004 10:38 am Reply with quote

i must have over written it some how without noticing it. It was entirely my mistake. Thanks goodness for backups.

Joe
Joe
 
porcupinepc
PostPosted: Tue Jun 08, 2004 10:40 am Reply with quote

I just noticed something. After i posted the last message, i tried getting into the forums on my site and i goit the following error:

Parse error: parse error in /usr/local/psa/home/vhosts/porcupinepc.com/httpdocs/nuke/modules/Forums/index.php on line 61

Joe
 
chatserv
PostPosted: Tue Jun 08, 2004 10:42 am Reply with quote

The forum files were removed from the patch, reupload your original ones.
 
chatserv
PostPosted: Tue Jun 08, 2004 1:26 pm Reply with quote

After checking the files i found out why having the SCRIPT_NAME on the homepage module returned a you can't access this file directly... message:
open Nuke's main index.php file and find:
Code:
$_SERVER['PHP_SELF'] = "modules.php";

replace with:
Code:
$_SERVER['SCRIPT_NAME'] = "modules.php";
 
porcupinepc
PostPosted: Tue Jun 08, 2004 2:30 pm Reply with quote

chatserv wrote:
After checking the files i found out why having the SCRIPT_NAME on the homepage module returned a you can't access this file directly... message:
open Nuke's main index.php file and find:
Code:
$_SERVER['PHP_SELF'] = "modules.php";

replace with:
Code:
$_SERVER['SCRIPT_NAME'] = "modules.php";


Is this code that has to be added after the 7.3 update?
I edited this file and afterwards i got the "cant access......"

Joe
 
chatserv
PostPosted: Tue Jun 08, 2004 2:39 pm Reply with quote

Remember to edit the News module's index file again, we had removed the code from it before but it was now restored.
 
porcupinepc
PostPosted: Tue Jun 08, 2004 2:50 pm Reply with quote

I replaced $_SERVER['PHP_SELF'] = "modules.php";
with $_SERVER['SCRIPT_NAME'] = "modules.php";
the copied over the index.php from the 7.3 update(news/index.php) all is well.

Thats all we have to do or do we edit the index.php?

Joe
 
chatserv
PostPosted: Tue Jun 08, 2004 3:32 pm Reply with quote

If you can view your homepage then that is all.
 
porcupinepc
PostPosted: Tue Jun 08, 2004 3:39 pm Reply with quote

ok thanks

Joe
 
SmackDaddy
PostPosted: Tue Jun 08, 2004 5:03 pm Reply with quote

chatserv wrote:
Question though, why did your lang file get replaced? the patch does not include any language files.


I should have been a bit more clear, I didn't have a problem with my language files like porcupinepc, but was just confirming the initial "fix" worked for me.

Now, I have edited index.php as instructed, and re-uploaded modules/News/index.php and things work fine! I suspect porcupine's issue with the forum on line 61 was exactly the same as mine where replacing all _SERVER=['PHP_SELF'])) { code had resulted in some extra comma's and a couple extra (( when replaced.... (was weird, but.....when I fixed that, my forums worked, although as Chat said, Forum files don't need updating)
 
Jeruvy
New Member
New Member


Joined: Jul 29, 2003
Posts: 9

PostPosted: Tue Jun 22, 2004 11:06 am Reply with quote

I'm still having trouble with this, and the above suggestions don't fix it.
 
View user's profile Send private message
chatserv
PostPosted: Tue Jun 22, 2004 12:51 pm Reply with quote

Zip your main index.php file and the index of the module you have as homepage module and post a download url.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©