Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Monks
New Member
New Member


Joined: May 12, 2004
Posts: 10

PostPosted: Wed May 19, 2004 10:42 pm Reply with quote

I have a fresh install of 7.3 with the 2.4 patches. I'm worried about applying some NSN scripts to it. I'd like to install Groups, Group Downloads, and NSN Your_Account. I'm worried that I'd be losing out on a lot of Chatserv's fixes in doing so.

NSN Groups requires you replace your admin.php and mainfile.php. Im worried that Bob's versions dont have Chatserv's fixes. It looks like Bob puts out some pretty good code and is very conserned about security. Does anyone know if NSN code has been "hardened" using some fixes from Chatserv and Raven?

Of course, Im going to post this same question over at Nukescripts.

Thanks.
Monk
 
View user's profile Send private message
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Wed May 19, 2004 11:12 pm Reply with quote

I would think he secures them, if you want to zip the admin and mainfile included with them and post a download link and i will check.
 
View user's profile Send private message Visit poster's website
Monks
PostPosted: Wed May 19, 2004 11:25 pm Reply with quote

Wow. Thanks chatserv. I would have never expected such personal service.

I have ot admit, im new to Nuke and upgrading it baffles me. Some modules and blocks go in just fine, but some scripts out there make you replace key files, instead of just importing their code in.

NSN Groups wants to replace mainfile.php, admin.php and modules.php. That seems to be asking quite a bit. NSN Group Downloads also wants to replace mainfile.php. So what happens to the changes Groups has in mainfile? What happens to your fixes that were in the original mainfile before all this overwriting? Is this how Nuke is supposed to be updated?

Here is the NSN files, zipped up. Only registered users can see links on this board! Get registered or login!

Thanks a million. I'd like to install the group features, but not if I lose the security fixes.

Monk
 
chatserv
PostPosted: Thu May 20, 2004 7:46 am Reply with quote

Only registered users can see links on this board! Get registered or login! you go.
 
Monks
PostPosted: Thu May 20, 2004 12:16 pm Reply with quote

Thanks Chastserv.

The added features you get from scripts and add-ons may be nice, but I think security should be #1 priority.

The work of people like you & raven is very appriciated.


Monk
 
whiteknight0571
Hangin' Around


Joined: May 05, 2004
Posts: 38
Location: PA USA

PostPosted: Wed Jun 30, 2004 5:16 pm Reply with quote

Personally, before I add ANY add ons for PHPNuke anymore, I have downloaded the core files of my present version, and then I apply the patches I can find for it through Chat, Raven, and such. Once that is done, I upgrade that first. When I begin to apply modules or hacks past that point, I then use a file compare utility to see what is being changed between the module or hack files, and the core files. It is one way to see what modules or hacks you want to use, and see just how badly they mess with the core files. Many times I have found that the files just include some additional code to make the modules, hacks, or blocks function with your version of PHPNuke. Just my two cents and a suggestion for how to go about adding addons to your PHPNuke installation. RavensScripts

_________________
Only registered users can see links on this board! Get registered or login! Reviews always appreciated Surprised Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Monks
PostPosted: Wed Jun 30, 2004 5:29 pm Reply with quote

Thanks for the feedback. I havent thought of going all the way to a file comapare utility. I guess it's a good idea, when messing with source code like this.

I really wish more people would stay away from messing with core files. Can't they just use includes or something? I dont know, cause Im barely learning PHP. In the absence of includes, maybe a step by step expaination of what is being changed from the standard core file.

I like a lot of mods out there, but I dont like when the zip has it's own mainfile.php. Hell, I dont know what's in that mainfile and it will overwrite the mainfile.php changes the last mod did.

Now that Chat is including a line-by-line changelog with the "Patched" series, it makes it easier to re-apply his code hardening to new mainfile.php. Still, it's a lot of freeking work. I dont know how he does it himself. What a pain. I have no idea where the Nuke community would be without people like Chat & Raven.

Monks
 
chatserv
PostPosted: Wed Jun 30, 2004 5:41 pm Reply with quote

Just be glad the line by line instructions are for PHP-Nuke 7.3/Nuke Patched 2.4 to Nuke Patched 2.5 and not for unpatched older core Nuke files to Nuke Patched, now that would be a nightmare but trust me, anything done to secure code is well worth the extra work and now that 7.3 included one of the patches adding new fixes to it should be less painful.
 
Monks
PostPosted: Wed Jun 30, 2004 5:57 pm Reply with quote

When you apply a mod that comes with it's own mainfile.php (or index or admin) you have no idea what core file they based it on. You hope, if it's a recent release or it's its by a good coder (like Bob) it's on a good new stable core. Even using a file compare utility and comparing it to Chat's Patched code, you might be left doing a lot of patching by hand. Some mod authors dont document much, ya know.

At this point, I dont go near a mod if it's not by an author that is respected in the community. I'll read the readme first and if I dont like the documentation, I dont bother. I really dont have time (or know-how) to pick thru the code trying to install some guy's mod and keep the site safe.

Monks

P.S.
With all that said, does anyone have
a recommendation on a gallery and
a calendar? Smile
 
whiteknight0571
PostPosted: Wed Jun 30, 2004 5:58 pm Reply with quote

I have about 25 local installs of PHPNuke 7.3 using Chat, Raven, Bob's, and the others fixes, hacks, security, etc. I also have Sentinel, Admin Secure, and Protector all playing together quite nicely in these versions, along with osc2nuke module v7x1 and their affiliate program. I've also managed to update the Nuke Amazon module to all but work with PHPNuke 7.3 with a slight problem when approving members amazon content reviews. The dang image doesn't transfer along with the post once approved.

With all this work, I've made backups along the way while doing my modules, and then tested them afterwards. In the end, it makes many versions of PHPNuke 7.3 patched v2.5 along with the osc2nuke module base install available to me with various other modules added into the mix. It all works. But I'm not a PHP Guru by far. It's why I LOVE file compare programs. Just look for what has changed, then use Chat's advice to harden the sql calls and stuff being sent to the database, and voila, instant working security with whatever module you want. It really DOES make PHPNuke much easier to manage for us non tech people RavensScripts

Now if I could just remember where in the world I seen that post that allows you to hack your admin.php file to allow ONLY ADMIN'S to post with ANY html or javascript code, I'd be happy. LOL
 
chatserv
PostPosted: Wed Jun 30, 2004 6:23 pm Reply with quote

I usually save these bits of code, this one i can't recall who suggested it or if it works as i never used it but i guess this is the one you meant.

First off it called for finding the following from mainfile.php:
Code:
foreach ($_GET as $secvalue) { 

    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
   (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
   (eregi("\"", $secvalue))) {
   die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}

foreach ($_POST as $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||   (eregi("<[^>]*style*\"?[^>]*>", $secvalue))) {
   die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}

and replacing it with:
Code:
if (!is_admin($admin)) { 

foreach ($_GET as $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
   (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
   (eregi("\"", $secvalue))) {
   die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}

foreach ($_POST as $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||   (eregi("<[^>]*style*\"?[^>]*>", $secvalue))) {
   die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}
}
 
chatserv
PostPosted: Wed Jun 30, 2004 6:26 pm Reply with quote

I recall the person placed it after the is_admin function, so consider that as well.
 
whiteknight0571
PostPosted: Wed Jun 30, 2004 7:02 pm Reply with quote

Thanks for the quick reply Chat. It looks IDENTICAL to the code that I have seen, and IS the code I was looking for. I was just having a heck of a time finding it. It DOES work, I can verify that one, as when I used it before with PHPNuke 7x it allowed me to use whatever types of code tags I wanted to without the filter giving me crap about it LOL. Thanks for the quick post. I have been in here on the forum in the search area over the past about three hours trying to find it. Thanks for putting it where I could find it.

As always RavensScripts and the same with Nuke Fixes and Nuke Resources. You guys have done a hell of a job with the support. I hope that you are able to continue to support throughout. Your work, Raven's, Bob's, and the rest here running around the forums is MUCH and GREATLY appreciated. Very Happy
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©