Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
ring_c
Involved
Involved



Joined: Dec 28, 2003
Posts: 276
Location: Israel

PostPosted: Mon Oct 25, 2004 4:02 am Reply with quote

According to PHP-Nuke HowTo's cookie hijack section (23.4.5.1) I was trying to change the default time for admin's cookie. the code to be changed in include/auth.php, given there is:

Code:
if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {

    if($aid! = "" AND $pwd!="") {
        $pwd = md5($pwd);
        $result=sql_query("select pwd, admlanguage from "$prefix."_authors  where aid='$aid'", $dbi);
        list($pass, $admlanguage)=sql_fetch_row($result, $dbi);
        if($pass == $pwd) {
            $admin = base64_encode("$aid:$pwd:$admlanguage");
            setcookie("admin", "$admin",time()+7200);
            unset($op);
        }
    }
}


I'm using PhpNuke v6.7 and couldn't find anything like this one.
Any help would be appreciated.
 
View user's profile Send private message Visit poster's website
djmaze
Subject Matter Expert



Joined: May 15, 2004
Posts: 727
Location: http://tinyurl.com/5z8dmv

PostPosted: Mon Oct 25, 2004 5:15 am Reply with quote

just search for
Code:
setcookie("admin",
or
Code:
setcookie('admin',


And when your at maybe you want to change all the calls to something like
Code:
setcookie("my_admin_system",
then open mainfile.php and in the top below
Code:
if (!ini_get("register_globals")) {

    import_request_variables('GPC');
}
you add
Code:
if (isset($_COOKIE['my_admin_system'])) {

    $admin = $_COOKIE['my_admin_system'];
} else {
    unset($admin);
}

this results in
Code:
if (!ini_get("register_globals")) {

    import_request_variables('GPC');
}
if (isset($_COOKIE['my_admin_system'])) {
    $admin = $_COOKIE['my_admin_system'];
} else {
    unset($admin);
}


Why ? A lot of hackers try to get into your site thru the $admin variable.
PHP-Nuke is so badly coded that hackers have a 90% change to succeed.
With above hack their change is reduced to 30% because they have to guess your cookiename and they can't throw GET and POST commands to your site anymore.

I don't need a thing in return for this info except i like to see you here again and support Raven, Chatserv and Bob Marion and put phpnuke.org on your "denied access list" or something.
 
View user's profile Send private message Visit poster's website
ring_c







PostPosted: Mon Oct 25, 2004 6:16 am Reply with quote

DJMaze wrote:
just search for
Code:
setcookie("admin",
or
Code:
setcookie('admin',


And when your at maybe you want to change all the calls to something like
Code:
setcookie("my_admin_system",

Sad no setcookie anywhere.
Wait, here's the full code:

Code:
<?php

/***************************************************************************
 *                                 auth.php
 *                            -------------------                         
 *   begin                : Saturday, Feb 13, 2001
 *   copyright            : (C) 2001 The phpBB Group       
 *   email                : [ Only registered users can see links on this board! Get registered or login! ]                           
 *                                                         
 *   $Id: auth.php,v 1.37.2.2 2002/12/22 18:46:26 psotfx Exp $                                                           
 *                                                           
 *
 ***************************************************************************/
/***************************************************************************
* phpbb2 forums port version 2.1 (c) 2003 - Nuke Cops (http://nukecops.com)


DJMaze wrote:
I don't need a thing in return for this info except i like to see you here again and support Raven, Chatserv and Bob Marion and put phpnuke.org on your "denied access list" or something.

What do you mean by addin phpnuke.org to my "denied access list"?

Admin: Since the code was long and was not the correct code, I have deleted all but the descriptive heading to show what it was.
 
djmaze







PostPosted: Mon Oct 25, 2004 10:00 am Reply with quote

the auth.php you show is from the forums and is the wrong one.
look a bit better in your nuke distribution then you will find another.

If you don't understand "denied access list" then sorry, i don't gonna explain to start another useless topic with shouting.
I've limited phpnuke support and only serve to Raven, Chatserv and Bob by providing security tips, etc. period
 
beetraham
Regular
Regular



Joined: Dec 13, 2003
Posts: 94
Location: Finland (EU)

PostPosted: Mon Oct 25, 2004 10:43 am Reply with quote

ring_c wrote:

According to PHP-Nuke HowTo's cookie hijack section (23.4.5.1) I was trying to change the default time for admin's cookie. the code to be changed in include/auth.php, given there is:

Code:
if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {

    if($aid! = "" AND $pwd!="") {
        $pwd = md5($pwd);
        $result=sql_query("select pwd, admlanguage from "$prefix."_authors  where aid='$aid'", $dbi);
        list($pass, $admlanguage)=sql_fetch_row($result, $dbi);
        if($pass == $pwd) {
            $admin = base64_encode("$aid:$pwd:$admlanguage");
            setcookie("admin", "$admin",time()+7200);
            unset($op);
        }
    }
}


I'm using PhpNuke v6.7 and couldn't find anything like this one.
Any help would be appreciated.


Cheers,

The *auth.php* that you were searching for is indeed not the one found under folder *$NUKEROOT/includes/* - instead, it's the one that can be found under the *$NUKEROOT/*.

Now, as you have located the file, you have basically (2) main options regarding the (non-advanced) basic modification approach :

(1) to alter the maximum lifetime of admin session (=> your active session lengths as an admin will be altered regarding the system required re-login procedures)

EXAMPLE:

ORIGINAL:
Code:


            setcookie("admin", "$admin",time()+7200);


MODIFIED:
Code:


            setcookie("admin", "$admin",time()+1800);




(2) to remove totally the admin cookie lifetime declaration (=> your admin session will be destroyed as soon as you close your browser window)

EXAMPLE:

ORIGINAL:
Code:


            setcookie("admin", "$admin",time()+7200);


MODIFIED:
Code:


            setcookie("admin", "$admin");


Hope this help a bit.

BR,

-beetraham

_________________
- Let there be no windows at your home - 
View user's profile Send private message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Mon Oct 25, 2004 11:02 am Reply with quote

DJMaze wrote:
the auth.php you show is from the forums and is the wrong one.
look a bit better in your nuke distribution then you will find another.

If you don't understand "denied access list" then sorry, i don't gonna explain to start another useless topic with shouting.
I've limited phpnuke support and only serve to Raven, Chatserv and Bob by providing security tips, etc. period
Exclamation And you are a welcomed addition here, for sure. Your knowledge of nuke is most valuable! I really like cpgnuke but have too much invested in phpnuke to warrant me personally changing. I have hardened my 6.9 site and tweaked and poked it ad nauseum. But, I respect you and your product and that is why I am now delivering your headlines here Wink
 
View user's profile Send private message
djmaze







PostPosted: Mon Oct 25, 2004 12:56 pm Reply with quote

Raven wrote:
And you are a welcomed addition here, for sure. Your knowledge of nuke is most valuable! I really like cpgnuke but have too much invested in phpnuke to warrant me personally changing. I have hardened my 6.9 site and tweaked and poked it ad nauseum. But, I respect you and your product and that is why I am now delivering your headlines here


Thanks raven, i just give some things back to you guys Wink
I don't mind helping overhere and give some valuable security tips for people that invest in phpnuke.

Isn't GPL about respect, give and take ?

Maybe i was a bit crumpy in the above posts, but who to blame ? people on a different site make you that way ?
I've decided long ago to stop phpnuke support and my account at NC and phpnuke.org are blocked.
But i just can't live with feeling that other systems like Mambo, Xoops and CPG have so much more security power and due to that people avoid it because they don't understand it and then get hacked.

So once in a while you will find a fix or security measurement.
 
evaders99
Former Moderator in Good Standing



Joined: Apr 30, 2004
Posts: 3221

PostPosted: Tue Feb 15, 2005 2:01 am Reply with quote

I hope Raven doesn't mind me pointing to something I've been working on: [ Only registered users can see links on this board! Get registered or login! ]

Basically it changes the setcookies to read from the Forums config, allowing you to use a defined cookie_domain, cookie_path, etc.

Still some problems because the authorization is checked before any database queries. But I just put it in as hardcoded cookie_name for now.

Tell me if this works, if anyone else has done this, or has a better version to apply to the phpNuke system.

_________________
- Star Wars Rebellion Network -

Need help? Nuke Patched Core, Coding Services, Webmaster Services 
View user's profile Send private message Visit poster's website
Raven







PostPosted: Tue Feb 15, 2005 8:01 am Reply with quote

Of course not! This site is for the community and not for me. Any and all submissions are welcome as long as they promote and don't tear down. I have never been driven by jealousy or ego. And I don't consider it "spamming" to reference another site as I have been accused of when I post a link here.
 
djdiz-e
Regular
Regular



Joined: Dec 19, 2004
Posts: 51
Location: Ontario, Canada

PostPosted: Tue Feb 15, 2005 4:46 pm Reply with quote

beetraham wrote:

(2) to remove totally the admin cookie lifetime declaration (=> your admin session will be destroyed as soon as you close your browser window)

EXAMPLE:

ORIGINAL:
Code:


            setcookie("admin", "$admin",time()+7200);


MODIFIED:
Code:


            setcookie("admin", "$admin");


Hope this help a bit.

BR,

-beetraham

EDIT: also i edited auth.php & mainfile as noted above with my_admin in place of admin for the cookie

i tryed that and now sentinel keeps blocking everytime i click something in the admin page ...does it work with sentinel?
 
View user's profile Send private message Send e-mail Visit poster's website
Raven







PostPosted: Tue Feb 15, 2005 8:08 pm Reply with quote

Are you saying that you have renamed the admin cookie to my_admin?
 
djdiz-e







PostPosted: Wed Feb 16, 2005 12:07 am Reply with quote

i used this ..exatly as DJMaze posted
Code:
setcookie("my_admin_system",
 
djdiz-e







PostPosted: Sat Feb 19, 2005 11:59 am Reply with quote

ok well dosent seem like any one is going to answer my last post so ill ask this.

i restored the origanal files and tryed it again but this time only
removing the cookie lifetime and it works fine.

so is this good enough to reduced the chance of a cookie hijack?
 
Raven







PostPosted: Sat Feb 19, 2005 12:11 pm Reply with quote

Sorry, we have been a bit busy lately Laughing We try to answer as many as we can but some get missed especially when they roll of the radar. Most users will issue a *BUMP* before crucifying us Wink
 
djdiz-e







PostPosted: Sun Feb 20, 2005 6:02 am Reply with quote

Raven wrote:
Sorry, we have been a bit busy lately Laughing We try to answer as many as we can but some get missed especially when they roll of the radar. Most users will issue a *BUMP* before crucifying us Wink


its ok ..i still think you guys rock Smile
RavensScripts
 
djmaze







PostPosted: Sun Feb 20, 2005 2:28 pm Reply with quote

To my knowledge sentinel does check for "admin" and makes it incompatible with my admin prevention.
Also the info was based on 6.x and early 7.x systems.

The latest versions and sentinel do check "admin" more often then you pressing the "next" button of your tv remote Laughing

If people are still interested to change the cookie name, someone should rewrite the tutorial for the latest systems Wink
 
djdiz-e







PostPosted: Mon Feb 21, 2005 4:08 am Reply with quote

thats the only button on my remote thats worn out Laughing
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©