Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
pnclthnmstsh
Regular
Regular


Joined: Oct 23, 2005
Posts: 54
Location: Portland, Or

PostPosted: Thu Aug 17, 2006 7:58 pm Reply with quote

I'm building a couple of mods that I'm designing to be forum hacks. In other words the php files are put in the modules/Forums folder. The standard security scripts to make sure folks need to be logged in to access the file thru the site are working fine but I just found out that if you send someone the link they can access the file just fine without being logged in. As well, the script allows for comments to be put in and displayed thru a following link after submitting the information.

I was under the assumption that this piece of script


Code:


$user_id = $userdata['user_id'];
if (!$userdata['session_logged_in'] && $user_id == ANONYMOUS)
{
   $header_location = ( @preg_match("/Microsoft|WebSTAR|Xitami/", getenv("SERVER_SOFTWARE")) ) ? "Refresh: 0; URL=" : "Location: ";
   header($header_location . append_sid("login.$phpEx?redirect=course.$phpEx", true));
   exit;
}

Would force users to log in to access the script..to an extent it does but only if the user doesn't have a cookie set.

Since the code above is the standard script to stop unregistered users from accessing a file it seems to me that there's a flaw that someone could register...get the link...send the link to themselves and then enter malicious data into the comments field to do whatever they want.

The other problem is...my hack autodetects a members username for entry into the database. So since thru a direct link (I.E. if I pasted it here) if you have a cookie set from my site you will be allowed to post the submission of your comment and nuke will find your cookie and IP and allow you to enter data to the database without being logged in.

Since I'm using standard nuke/phpbb security this is not only a hassle for me to delete entries that have a blank entry for a username but it also opens up a hole for malicious attacks to the database. And it seems to be a flaw in any phpbb hack or mod that the php file is in modules/Forums.

I hope this makes sense because I'd like to fix the possiblity for non logged in members to be able to access the file completely..even with a cookie set.

Thanks for any comments and if you need more details please PM me.

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website Yahoo Messenger
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Thu Aug 17, 2006 8:42 pm Reply with quote

A little confusing, but I think the answer to prevent malicious code, whether or not a user is logged in, is to use the standard Nuke approach for accessing data. That sends the SQL through NukeSentinel at least. If you're using your own DB connections, you're asking for all kinds of problems, IMHO.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
pnclthnmstsh
PostPosted: Thu Aug 17, 2006 8:57 pm Reply with quote

Thank you for the response but since this is a file I've installed in modules/Forums I assumed it would follow nuke rules ( I do have Sentinel installed and working fine...it has stopped every hack attempt to date ) here's the beginning of my file upto where the engine goes to work:

Code:


<?php
/*
Daily Tourney by PTM
*/

// standard hack prevent

if (!eregi("modules.php", $PHP_SELF)) {
    die ("You can't access this file directly...");
}


define('IN_PHPBB', true);

$phpbb_root_path = 'modules/Forums/';
include($phpbb_root_path . 'extension.inc');
include($phpbb_root_path . 'common.'.$phpEx);
include('header.php');

// standard session management
$userdata = session_pagestart($user_ip, PAGE_INDEX, $nukeuser);
init_userprefs($userdata);

 // Make sure the player is registered
$user_id = $userdata['user_id'];
if (!$userdata['session_logged_in'] && $user_id == ANONYMOUS)
{
   $header_location = ( @preg_match("/Microsoft|WebSTAR|Xitami/", getenv("SERVER_SOFTWARE")) ) ? "Refresh: 0; URL=" : "Location: ";
   header($header_location . append_sid("login.$phpEx?redirect=daily.$phpEx", true));
   exit;
}


That basic script seems to precede all modules/Forums files that require security so this is the extent of my knowledge to secure that type of file.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©