Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
morpheus_75
Involved
Involved



Joined: Oct 07, 2003
Posts: 302

PostPosted: Sun May 30, 2004 10:19 am Reply with quote

I heard several hack attempts happen because of security bugs in Gallery Modules/Blocks. I also read somewhere that My_eGallery may be an easy way for Hackers to hack sites.

Is this true? Is there any trick to protect my site?

Thank u Smile
 
View user's profile Send private message
stephen2417
Worker
Worker



Joined: Jan 18, 2004
Posts: 244
Location: Bristolville, OH

PostPosted: Sun May 30, 2004 10:23 am Reply with quote

I know my site got hacked over bc of coppermine. I patched it but didnt patch the other theme i was using Sad

Its all sorted out now tho.

I dno about My_eGallery, could it be the same thing as coppermine?
 
View user's profile Send private message Visit poster's website
morpheus_75







PostPosted: Mon May 31, 2004 10:24 am Reply with quote

As I said, I heard My_eGallery may be an easy backdoor to hack one's site. But how this happens and what shoud be done to prevent the hacking is quite unknown to me Confused
Raven, Chat, what do u think about it?
 
sixonetonoffun
Spouse Contemplates Divorce



Joined: Jan 02, 2003
Posts: 2496

PostPosted: Mon May 31, 2004 10:50 am Reply with quote

I think if you look at the site where the PostNuke version is maintained you will find most of the patches are easily backwards compatable as of now. But there is also a plea for someone to come forward and maintain the phpnuke version or at least the patches for it. [ Only registered users can see links on this board! Get registered or login! ]
But I see this has been moved to [ Only registered users can see links on this board! Get registered or login! ]

In fact I had someone attempt the exploit posted here: [ Only registered users can see links on this board! Get registered or login! ]
Not long ago but it failed for various reasons (They didn't have a clue) but added a patch for it. The last one I know of to take on MeG was AI and I am sure he has since abandoned the effort to devote his time to Open Site Manager.

The last patch applied to the public/displayCategory.php
was just to add this to the beginning of the file to prevent http being used in the path. I'd guess there is more issues to be resolved in the old 2.79 MeG phpnuke version. And I must also say I don't think this is effective protection. But I've not tested this so take it at face value.

$bug = strpos($basepath,"http");
$bug2 = strpos($adminpath,"http");
if ($bug === false AND $bug2 === false) {
include ("$basepath/public/imageFunctions.php");
include ("$adminpath/fileFunctions.php");
 
View user's profile Send private message
morpheus_75







PostPosted: Mon May 31, 2004 11:41 am Reply with quote

Hi, Six, thank you very much for your kind reply!

sixonetonoffun wrote:
The last patch applied to the public/displayCategory.php
was just to add this to the beginning of the file to prevent http being used in the path. I'd guess there is more issues to be resolved in the old 2.79 MeG phpnuke version. And I must also say I don't think this is effective protection. But I've not tested this so take it at face value.

$bug = strpos($basepath,"http");
$bug2 = strpos($adminpath,"http");
if ($bug === false AND $bug2 === false) {
include ("$basepath/public/imageFunctions.php");
include ("$adminpath/fileFunctions.php");


I have old 2.79 and I do not think to update it. Next step (in a couple of month) will actually be installing the latest Nuke version (Raven's of course!) with coppermine. In the meantime I would like to run no risk at all! Do u think your patch will do?
 
sixonetonoffun







PostPosted: Mon May 31, 2004 1:17 pm Reply with quote

Its not mine but it seems to work for the specific exploit its designed to catch. I'm glad you started the topic it would be nice to know if there is someone maintaining patches for 2.79 out there.
 
chatserv
Member Emeritus



Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Mon May 31, 2004 1:45 pm Reply with quote

Even if someone does decide to attempt a full patch of MeG it just might be too late for it, many hosts do not allow its use on shared servers or any hosted site because any site can be hacked even if it is not using it, all it takes is for one person to have it on their web space for all other sites sharing the server to become vulnerable. It's going to take some well documented proof that all bugs have been patched before any of said servers reverse their decision to block the gallery.
 
View user's profile Send private message Visit poster's website
soc
Hangin' Around



Joined: Apr 14, 2004
Posts: 26

PostPosted: Tue Jun 01, 2004 3:21 pm Reply with quote

I found somewhere this code as a fix for public/displayCategory.php

first lines
Code:


if( isset($_GET['basepath']) || isset($_GET['adminpath']) || isset($_POST['adminpath']) || $_POST['basepath']))
 {
    $basepath=""; $adminpath="";
    Header("Location: index.php");   
    die();
 }
 
if ( !stristr($_SERVER['PHP_SELF'],"modules.php") || stristr($basepath,"http") || stristr($adminpath,"http") )
    {
    $basepath=""; $adminpath="";
    Header("Location: index.php");
    die();
    }

include ("$basepath/public/imageFunctions.php");
include ("$adminpath/fileFunctions.php");


Someone who knows if this is a solution? cs or anyone else?
 
View user's profile Send private message
morpheus_75







PostPosted: Wed Jun 02, 2004 3:27 am Reply with quote

chatserv wrote:
Even if someone does decide to attempt a full patch of MeG it just might be too late for it, many hosts do not allow its use on shared servers or any hosted site because any site can be hacked even if it is not using it, all it takes is for one person to have it on their web space for all other sites sharing the server to become vulnerable. It's going to take some well documented proof that all bugs have been patched before any of said servers reverse their decision to block the gallery.


It seems my host won't prevent me from using My_eGallery. At least this is whay I was told.
By the way, Chat or Six... do you think soc's solution may be a good one? I know every site can be hacked if a hacker decides to do it. So by "good solution" I mean a stopgap measure... a palliative...
 
chatserv







PostPosted: Wed Jun 02, 2004 8:59 am Reply with quote

The problem here is that $basepath is not the only vulnerable area of MeG, i recall having suggested several code changes for patching other vulnerabilities but when i saw that new ones kept being exposed constantly i just gave up on it mainly because many hosts had banned it from being used.
 
morpheus_75







PostPosted: Wed Jun 02, 2004 2:20 pm Reply with quote

I found a few bugs on My-eGallery:

1) The Gallery home page does not display the number of images for each category. You only get a 0, i.e.: Animatrix (0).

2) When you click on a thumb, the image displays properly, but u cannot see the page numbers between the two arrows (left and right).

3) The 2 arrows mentioned above lead to wrong images.
[ Only registered users can see links on this board! Get registered or login! ]

4) When trying to edit the templates, I get the following error:

The html tags you attempted to use are not allowed

anyone may help?

P.S.: I'd like the thumbs to be displayed in 2 columns... how can I do? In the configuration menu you can only set the number of thumbs columns in the gallery main page...
 
morpheus_75







PostPosted: Wed Jun 02, 2004 3:41 pm Reply with quote

morpheus_75 wrote:
1) The Gallery home page does not display the number of images for each category. You only get a 0, i.e.: Animatrix (0).


Embarassed The galleries were set ti be displayed only by admins. That is why there was that 0.

morpheus_75 wrote:
2) When you click on a thumb, the image displays properly, but u cannot see the page numbers between the two arrows (left and right).


I dunno if this is a real bug. The arrows are there, but not the page number... Confused

morpheus_75 wrote:
3) The 2 arrows mentioned above lead to wrong images.


Now it works.

morpheus_75 wrote:
4) When trying to edit the templates, I get the following error:

The html tags you attempted to use are not allowed


That is a mistery...
 
morpheus_75







PostPosted: Thu Jun 03, 2004 6:09 am Reply with quote

Anyone has got any idea on what I said in the previous post? And what about security? What are the recommended patches to use (even though they do not solve the whole problem)?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©