Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Tue Oct 14, 2003 9:18 pm Reply with quote

To fix the admin.php security exploit, you need to edit auth.php (yes, that's right - auth.php). Your beginning code in auth.php will look something like this
Code:
<?php


/************************************************************************/
/* PHP-NUKE: Advanced Content Management System                         */
/* ============================================                         */
/*                                                                      */
/* Copyright (c) 2002 by Francisco Burzi                                */
/* http://phpnuke.org                                                   */
/*                                                                      */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License.       */
/************************************************************************/

require_once("mainfile.php");

if (eregi("auth.php",$_SERVER['PHP_SELF'])) {
    Header("Location: index.php");
    die();
}

if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {
Modify it to this
Code:
<?php


/************************************************************************/
/* PHP-NUKE: Advanced Content Management System                         */
/* ============================================                         */
/*                                                                      */
/* Copyright (c) 2002 by Francisco Burzi                                */
/* http://phpnuke.org                                                   */
/*                                                                      */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License.       */
/************************************************************************/

require_once("mainfile.php");

if (eregi("auth.php",$_SERVER['PHP_SELF'])) {
    Header("Location: index.php");
    die();
}

if (ereg("[^a-zA-Z0-9_-]",trim($aid))) {
   die("Begone");
}
$aid = substr("$aid", 0,25);
$pwd = substr("$pwd", 0,18);

if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {
 
View user's profile Send private message
Anubis_The_Jackal
Court Jester


Joined: Sep 20, 2003
Posts: 106

PostPosted: Tue Oct 14, 2003 10:07 pm Reply with quote

does this affect all versions?
 
View user's profile Send private message Send e-mail
Raven
PostPosted: Tue Oct 14, 2003 10:10 pm Reply with quote

My guess is that all versions are affected by all of these exploits.
 
Anubis_The_Jackal
PostPosted: Tue Oct 14, 2003 10:20 pm Reply with quote

what "could" be accessed from it (updating site as I type)?

and how serious would this be, like on a scale of one to five?
 
Raven
PostPosted: Tue Oct 14, 2003 10:23 pm Reply with quote

My understanding is that it allows a person to enter an entry into the authors table, thereby making himself an Admin with full rights <heavy sigh>. Need I say more?
 
Anubis_The_Jackal
PostPosted: Tue Oct 14, 2003 10:28 pm Reply with quote

ahh, so thats how that happened to me. maybe. so many holes. on mafiamods someone made themselfs an admin, and began doing all kinds of stuf to the site, lucky for my i caught it, and deleted them directly from the mysql database. It happened a long time ago, and was one of the co-admins friends. this is when the site was running 6.5, so, hopefully this prevents more "odd" things happening.
 
Raven
PostPosted: Tue Oct 14, 2003 10:31 pm Reply with quote

It is also suspected that they use the exploit to make themself an admin. Then they change the password of a real admin, thereby hijacking a real admin user. They then delete their original admin account and then wreck havoc under the real admin user.
 
Anubis_The_Jackal
PostPosted: Tue Oct 14, 2003 10:35 pm Reply with quote

is there a way to make a *god admins password only changeable by that admin? It is scary if a non *god super user can change a *god's password. It would be a wonderfull thing to have *god admins have their own admin area, where normal admins could not access without a third password.

sor of like an executive washroom. or something.
 
Raven
PostPosted: Tue Oct 14, 2003 10:37 pm Reply with quote

That could be done but that would still not stop this sort of thing.
 
Anubis_The_Jackal
PostPosted: Tue Oct 14, 2003 10:45 pm Reply with quote

i wish there was another more secure method for admins, like an admin account that is invisable to everyone. and unaccesable to everyone but that admin. sort of like, well, a high security admin account that would take decades to get through or to find an exploit.
 
Frogger
Worker
Worker


Joined: Oct 06, 2003
Posts: 108

PostPosted: Wed Oct 15, 2003 3:35 pm Reply with quote

I added the fix from Only registered users can see links on this board! Get registered or login!
with no problems, but when adding this fix, as well I keep getting parse errors.

Obviously, I am not putting it in the right place.

Could you demonstrate it for a dummy, please? Embarassed

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger ICQ Number
Raven
PostPosted: Wed Oct 15, 2003 5:28 pm Reply with quote

If you did a straight copy and paste, the $nastyGram variable is probably split on the lines. Make sure it is a continuous statement with no line breaks. If you just downloaded my 6.9 though, that fix is already in there Wink
 
msimonds
Regular
Regular


Joined: Jul 15, 2003
Posts: 56
Location: Dallas

PostPosted: Thu Oct 16, 2003 9:24 am Reply with quote

i have this from the other admin security fix:


Code:
<?php



/************************************************************************/
/* PHP-NUKE: Advanced Content Management System                         */
/* ============================================                         */
/*                                                                      */
/* Copyright (c) 2002 by Francisco Burzi                                */
/* http://phpnuke.org                                                   */
/*                                                                      */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License.       */
/************************************************************************/


$url = getenv("REQUEST_URI");

if (preg_match("/\?admin/", "$url")) {
die("You have been logged and will be investigated for this hacking attempt.  Thanks for giving me your information");
}
require_once("mainfile.php");
get_lang(admin);

function create_first($name, $url, $email, $pwd, $user_new) {
    global $prefix, $db, $user_prefix;
    $first = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_authors"));
    if ($first == 0) {
        $pwd = md5($pwd);
        $the_adm = "God";
        $sql = "INSERT INTO ".$prefix."_authors VALUES ('$name', '$the_adm', '$url', '$email', '$pwd', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '1', '')";
        $db->sql_query($sql);
        if ($user_new == 1) {
            $user_regdate = date("M d, Y");
            $user_avatar = "blank.gif";
            $commentlimit = 4096;
            if ($url == "http://") { $url = ""; }
            $sql = "INSERT INTO ".$user_prefix."_users (user_id, username, user_email, user_website, user_avatar, user_regdate, user_password, theme, commentmax, user_lang, user_dateformat) VALUES (NULL,'$name','$email','$url','$user_avatar','$user_regdate','$pwd','$Default_Theme','$commentlimit','english','D M d, Y g:i a')";
            $db->sql_query($sql);
        }
        login();
    }
}




what is the proper way to intergrate this into this change:

Code:
<?php 


/************************************************************************/
/* PHP-NUKE: Advanced Content Management System                         */
/* ============================================                         */
/*                                                                      */
/* Copyright (c) 2002 by Francisco Burzi                                */
/* http://phpnuke.org                                                   */
/*                                                                      */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License.       */
/************************************************************************/

require_once("mainfile.php");

if (eregi("auth.php",$_SERVER['PHP_SELF'])) {
    Header("Location: index.php");
    die();
}

if (ereg("[^a-zA-Z0-9_-]",trim($aid))) {
   die("Begone");
}
$aid = substr("$aid", 0,25);
$pwd = substr("$pwd", 0,18);

if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {



cannot figure this one out!!
 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
msimonds
PostPosted: Thu Oct 16, 2003 9:34 am Reply with quote

nevermind, i am just dumb, got it, thanks fury
 
Raven
PostPosted: Thu Oct 16, 2003 9:37 am Reply with quote

You do not want to use that fix you are using. It will break the downloads module and something else (I can't remember). I suggest you use mine instead.
 
Johan1982
New Member
New Member


Joined: Oct 23, 2003
Posts: 24

PostPosted: Thu Oct 23, 2003 5:00 pm Reply with quote

Use Nuke 6.0 and I used that patch, my surprise is that it does not let administer the Site to me, appears me the message of "Begone" and I cannot enter the Menu of Administration how is possible to be adapted that fix for Nuke 6.0?
 
View user's profile Send private message
Raven
PostPosted: Thu Oct 23, 2003 5:24 pm Reply with quote

If this is the code you're talking about
Code:
if (ereg("[^a-zA-Z0-9_-]",trim($aid))) { 

   die("Begone");
}
Then it would imply that your admin username may have other characters in it than
a-z
A-Z
0-9
_
-

Is that the case?
 
Johan1982
PostPosted: Thu Oct 23, 2003 10:48 pm Reply with quote

It does not have them, but my Admin username has a space, that patch simply blocks the access to the administration of the Site, reason why nonuse that patch.

Nuke 6.0 has that vulnerability? how I can cause that that patch works to me, that does not block me to me
 
Raven
PostPosted: Fri Oct 24, 2003 4:42 am Reply with quote

You misunderstand. This patch ONLY allows those characters. A space is NOT allowed so that is why it is failing. Try this
Code:
if (ereg("[^a-zA-Z0-9_\s-]",trim($aid))) { 

   die("Begone");
}
I didn't test it but I think that should work.
 
Johan1982
PostPosted: Fri Oct 24, 2003 9:19 am Reply with quote

I already proved, and the result was the same one, it appears to me "Begone" and it is impossible to administer the Site.

My Admin username is Nacional Olimpia
 
Johan1982
PostPosted: Fri Oct 24, 2003 9:22 am Reply with quote

Yes that seems that the Space causes the failure, but I do not want to change that nick, how I can do it without it affects the space to me? Question
 
Raven
PostPosted: Fri Oct 24, 2003 9:23 am Reply with quote

This should work
Code:
if (ereg("[^a-zA-Z0-9_ -]",trim($aid))) { 

   die("Begone");
}
 
Johan1982
PostPosted: Fri Oct 24, 2003 9:36 am Reply with quote

Thank you very much, now yes it works to me, I even sent the news and everything seems to go perfectly, I will continue proving in case there is some problem of what treats that bug?

Cool Greetings
 
TheosEleos
Life Cycles Becoming CPU Cycles


Joined: Sep 18, 2003
Posts: 960
Location: Missouri

PostPosted: Mon Oct 27, 2003 2:22 pm Reply with quote

Mine got broke also Raven.

My admin name is Pro[pH]et so it is probably the brackets that did it. Can you give me some code for that?

Also, could either of these security fixes affect user registration in any way? I got a report that registration was broke right after applying these two fixes.

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website AIM Address ICQ Number
Raven
PostPosted: Mon Oct 27, 2003 2:29 pm Reply with quote

Code:
if (ereg("[^a-zA-Z0-9_ -\[\]]",trim($aid))) {

   die("Begone");
}
I can't think of any way this would 'break' user registration unless names were entered with symbols not in this string.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©