| Author |
Message |
djmaze
Subject Matter Expert
Joined: May 15, 2004
Posts: 727
Location: http://tinyurl.com/5z8dmv
|
 Posted:
Thu Nov 18, 2004 12:52 am |
|
Someone fixes a security bug and what does FB do ?
Create a bigger hole in the system 
You wanna have an example ?
k here goes:
admin/modules/authors.php
Code:global $prefix, $db, $admin_file;
if (!eregi("".$admin_file.".php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }
|
Now call that file thru sometihng like:
mydomain.com/admin/modules/authors.php?admin_file=authors
GOOD LUCK !!!! |
| |
|
 
|
|
djmaze
|
| Posted:
Thu Nov 18, 2004 12:57 am |
|
Oh another example:
admin.php
normaly it loads mainfile.php first, but now it does some variable checks first.
Now my server php.ini is setup without "register_globals" so they don't exist (yet)
And it bypasses all useless security measurements.
Then mainfile.php "fakes" register_globals by defining everything (also my url constructed variables)
Then i have a lot of luck hacking around. |
| |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Thu Nov 18, 2004 3:06 am |
|
In addition, the code at the beginning of mainfile.php appears to let you include a mainfile.php file of your choosing. That's not the case. You can only include code that does not already exist in mainfile.php. PHP does not allow 'overloading' of functions. And what good does it do to have that code at the top? Anything you add can only be code that mainfile would use to start with. |
| |
|
|
|
|
BobMarion
Former Admin in Good Standing
Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)
|
| Posted:
Thu Nov 18, 2004 3:29 am |
|
FB did that little thing to a couple of other files as well because of the edits that NukeSentinel(tm), NSN, and other script devs use. He wants us to conform to his way of thinking again  |
_________________
Bob Marion
Codito Ergo Sum
http://www.nukescripts.net |
|
|
|
BobMarion
|
| Posted:
Thu Nov 18, 2004 3:30 am |
|
Oh, and I've done file compares and he did not use any of CS's Patched files at all
I also remember this patch being released by NSN after that long night talking with DJ:Code:if ($aid AND (!isset($admin) OR empty($admin)) AND $op != 'login') {
unset($aid);
unset($admin);
echo "Access denied";
die();
}
|
But I don't see any credits to him or me |
| |
|
|
|
|
TheosEleos
Life Cycles Becoming CPU Cycles
Joined: Sep 18, 2003
Posts: 960
Location: Missouri
|
| Posted:
Thu Nov 18, 2004 3:36 am |
|
| DJMaze wrote: | Someone fixes a security bug and what does FB do ?
Create a bigger hole in the system
You wanna have an example ?
k here goes:
admin/modules/authors.php
Code:global $prefix, $db, $admin_file;
if (!eregi("".$admin_file.".php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }
|
Now call that file thru sometihng like:
mydomain.com/admin/modules/authors.php?admin_file=authors
GOOD LUCK !!!! |
I must be a horrible hacker cuz I tried this trick on my test 7.6 site and got a 404 error. |
_________________
http://jamesdibben.com |
|
 |
|
MrFluffy
Hangin' Around
Joined: Jun 24, 2004
Posts: 28
Location: Berlin
|
| Posted:
Thu Nov 18, 2004 5:55 am |
|
| TheosEleos wrote: | | DJMaze wrote: | Someone fixes a security bug and what does FB do ?
Create a bigger hole in the system
You wanna have an example ?
k here goes:
admin/modules/authors.php
Code:global $prefix, $db, $admin_file;
if (!eregi("".$admin_file.".php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }
|
Now call that file thru sometihng like:
mydomain.com/admin/modules/authors.php?admin_file=authors
GOOD LUCK !!!! |
I must be a horrible hacker cuz I tried this trick on my test 7.6 site and got a 404 error. |
No 'luck' either, direct access to those files isn't possible on my testsystems.
Wouldn't it be an option to define the admin file as a constant instead of using a variable? I'm not sure if that would make sense though... can you manually put a constant in a url string? I just think a constant can't be manipulated (think I've read that somewhere). |
_________________
cu,
MrFluffy
 |
|
 |
|
djmaze
|
| Posted:
Thu Nov 18, 2004 9:59 am |
|
I didn't say how and when the vulnerabilities work to prevent scriptkiddies playing with it.
A real developer knows when and how they work. |
| |
|
|
|
|
MrFluffy
|
| Posted:
Thu Nov 18, 2004 10:12 am |
|
Oh sorry, didn't want to disturb the 'real' developers with my childish comments  |
| |
|
|
|
|
djmaze
|
| Posted:
Thu Nov 18, 2004 10:30 am |
|
| MrFluffy wrote: | | Oh sorry, didn't want to disturb the 'real' developers with my childish comments |
You did mention something good about defines.
Yes defines are the only good option if it's used wisely like:
Code:if (!defined('CPG_NUKE')) { exit; }
|
|
| |
|
|
|
|
irandoct
Hangin' Around
Joined: Dec 01, 2003
Posts: 39
|
| Posted:
Thu Nov 18, 2004 11:07 am |
|
Hi all,
I'm applying a patch like Chatserv 2.6 to 7.6 version. It will be done in a day!
Any suggesstions please let me know !
Regards |
| |
|
|
|
|
irandoct
|
| Posted:
Thu Nov 18, 2004 11:24 am |
|
Hello BobMarion,
Can i use sentinel 2.1.1 on phpnuke 7.6 ? Does any changes need ?
Please advise
Regards |
| |
|
|
|
|
Raven
|
| Posted:
Thu Nov 18, 2004 11:37 am |
|
NukeSentinel will work just fine |
| |
|
|
|
|
oprime2001
Worker
Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA
|
| Posted:
Thu Nov 18, 2004 11:40 am |
|
|
|
|
|
chatserv
Member Emeritus
Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico
|
| Posted:
Thu Nov 18, 2004 1:34 pm |
|
Can you post what those are oprime? |
| |
|
|
|
|
oprime2001
|
| Posted:
Thu Nov 18, 2004 1:40 pm |
|
Sorry. I should have been more explicit. The other concerns are NOT necessarily security-specific. The concerns are more related to nukelite/FB's perceived attitude.
More details in this post: [ Only registered users can see links on this board! Get registered or login! ] |
| |
|
|
|
|
Peejay
New Member
Joined: Mar 17, 2004
Posts: 6
|
| Posted:
Thu Nov 18, 2004 7:54 pm |
|
Chatserv: Is there going to be a patched version of 7.6? It would appear that your builds are the only ones we can trust to be secure anymore. |
| |
|
|
|
|
64bitguy
The Mouse Is Extension Of Arm
Joined: Mar 06, 2004
Posts: 1164
|
| Posted:
Thu Nov 18, 2004 11:12 pm |
|
What a mess. What is this junk solution doing in a nice place like this?
Can we send this one back to "the Club" until it's ready for Beta?
Watch out for your blocks in 7.6 folks!
Some have:
Code:if (eregi("block-Big_Story_of_Today.php", $_SERVER['PHP_SELF'])) {
Header("Location: index.php");
die();
|
While others have:
Code:if (eregi("block-Advertising.php",$_SERVER[PHP_SELF])) {
Header("Location: ../index.php");
die();
|
Where is that pesky index.php file anyway?
This one is named wrong:
Code:if (eregi("block-Last_10_Articles.php", $_SERVER['PHP_SELF'])) {
Header("Location: index.php");
die();
}
|
Space or no space after that comma?.. Hmmm.. I guess it doesn't matter since there a bunch of these both ways. Way to keep a standard!
Code:if (eregi("block-Last_Referers.php",$_SERVER['PHP_SELF'])) {
Header("Location: index.php");
die();
}
|
|
_________________
Steph Benoit
100% Section 508 and W3C HTML5 and CSS Compliant (Truly) Code, because I love compliance.
Last edited by 64bitguy on Thu Nov 18, 2004 11:36 pm; edited 1 time in total |
|
|
|
|
Raven
|
| Posted:
Thu Nov 18, 2004 11:35 pm |
|
It's the lemmings that amaze me. If he would just come down from his ego and open this up, the community could beta test it for him before he releases it! But it still doesn't explain why he, as the developer (and I use the term very loosely), doesn't test his stuff with all known exploits BEFORE he releases it! |
| |
|
|
|
|
Peejay
|
| Posted:
Thu Nov 18, 2004 11:43 pm |
|
I agree. I tried to defend him for a long time but its just impossible now. I work at an ISP and there is talk about banning use of all Nuke related software because of the highly insecure nature of it. I use it on my system at home and have never had a problem but I keep a close eye on all patches, etc, etc. |
| |
|
|
|
|
Raven
|
| Posted:
Thu Nov 18, 2004 11:48 pm |
|
There are many ISP's/Hosts that are doing that. I am constantly debating the issue with my data center. I still contend that he should stop all other development and fix all known exploits. Then, he should hire waraxe to break it and then he fixes it etc... |
| |
|
|
|
|
64bitguy
|
| Posted:
Fri Nov 19, 2004 12:03 am |
|
Users with 7.6 need to also secure the weblinks module... It's open again...
I've had this less than 20 minutes and I've found all of these? sheesh.... This is just sloppy. |
| |
|
|
|
|
chatserv
|
| Posted:
Fri Nov 19, 2004 1:16 am |
|
A patch for it is already done but i'm sending it over to Telli and any other that wants to check it out before releasing it, there was simply way too much on my plate today with the release of phpBB 2.0.11 at the same time. |
| |
|
|
|
|
irandoct
|
| Posted:
Fri Nov 19, 2004 1:56 am |
|
Hi all,
I have checked some parts of this version . The only thing that I can say is :
It's very buggy ! Strongly very buggy !
As a sample there is two missed form action in content / download modules.
see this :
modules/content/admin/index.php line : 186
modules/downloads/admin/index.php line : 100
Please don't install this version until a patch for it.
I'm trying do this based on Chatserv patch 2.6 .
can anyone help me in this issue and testing it ? let me know!
Have a nice Nuke Day  |
| |
|
|
|
|
Andrzej
Hangin' Around
Joined: Jan 22, 2004
Posts: 31
|
| Posted:
Fri Nov 19, 2004 9:29 am |
|
I think that your support patching the versions - should stop with 7.6. It's getting crazy.
Andrzej |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
