Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
lukamar
New Member
New Member


Joined: Jul 21, 2005
Posts: 14

PostPosted: Sat Dec 09, 2006 11:19 am Reply with quote

I have a guy using many different spoof IP's trying to modify a single weblink. I would ike to redirect him with htaccess to somewhere.

This is the code he uses, with my site info removed..

/subdomain/Mainsite.com/directory/modules.php?name=Web_Links&l_op=modifylinkrequest&lid=17

I have put the weblinks in the registered user section and he can't pass the code to there without registering but I would like the weblinks section visible to the general public.

Or.. and probably the best solution, would be to modify the weblink code so that only the Admin can modify it's links. But I have no idea how to do it.

Any Ideas would be very helpfull.
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Sat Dec 09, 2006 11:51 am Reply with quote

Is there any settings in the weblinks modules l_config.php file that might help?
 
View user's profile Send private message Send e-mail
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Sat Dec 09, 2006 12:34 pm Reply with quote

The same is in the downloads module. Its called d_config.

Block unregistered users from suggesting downloads changes? (1=Yes 0=No)
However, in older versions or non patched versions the $blockunregmodify = 1; doesn´t work.
 
View user's profile Send private message
lukamar
PostPosted: Sat Dec 09, 2006 5:25 pm Reply with quote

Susann wrote:
The same is in the downloads module. Its called d_config.

Block unregistered users from suggesting downloads changes? (1=Yes 0=No)
However, in older versions or non patched versions the $blockunregmodify = 1; doesn´t work.


Thanks guys and gals.

I'm running the the latest version of PHPNuke 8 so it should be the newest version of Weblinks as well. I noticed the link modify request in my iP_tracking module and have not actually had the weblinks open to the general public.

I did check the config settings so maybe I'll put it live and see what happens.

Thanks again
Very Happy
 
Guardian2003
PostPosted: Sat Dec 09, 2006 5:38 pm Reply with quote

Yikes the newest and worst version, you are a brave person!
 
lukamar
PostPosted: Sat Dec 09, 2006 6:20 pm Reply with quote

Guardian2003 wrote:
Yikes the newest and worst version, you are a brave person!


So I've been finding out...LOL Shocked
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Sun Dec 10, 2006 10:30 am Reply with quote

Quote:

so it should be the newest version of Weblinks as well


You are assuming that FB touches his older modules over time... He doesn't even include the latest patches in his work, so there is a good chance all the usual bugs are still there... Sad

I have just recently also found that there is a bug in Web Links and probably Downloads which still allows the submittal of links even when you are anonymous and the allow flag is set to NOT allow this to happen... been fixed in the upcoming RavenNuke release... just need to check for other possible such "holes".

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Mon Dec 11, 2006 11:53 am Reply with quote

Scary... but unfortunately not surprising. We should probably post the fix in a forum in case people can't move to RN 2.10 for any reason.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
montego
PostPosted: Wed Dec 13, 2006 2:40 pm Reply with quote

Sorry... entire household has been under-the-weather lately. Haven't been on the boards in too long. The easiest fix is to replace the Add function as such:

=== OPEN FILE ===

modules/Web_Links/index.php

=== REPLACE ENTIRE FUNCTION ===

function Add($title, $url, $auth_name, $cat, $description, $email) {

...

}

=== REPLACE WITH ====

Code:


function Add($title, $url, $auth_name, $cat, $description, $email) {
    global $prefix, $db, $user, $links_anonaddlinklock;
    if (is_user($user) || $links_anonaddlinklock == 1) { //RN0000530 - Disable anonymous exploits!
        $result = $db->sql_query("SELECT url from ".$prefix."_links_links where url='$url'");
        $numrows = $db->sql_numrows($result);
        if ($numrows>0) {
            include_once("header.php");
            menu(1);
            echo "<br />";
            OpenTable();
            echo "<center><b>"._LINKALREADYEXT."</b><br /><br />"
                .""._GOBACK."";
            CloseTable();
            include_once("footer.php");
        } else {
            if(is_user($user)) {
                $user2 = base64_decode($user);
                $user2 = addslashes($user2);
                $cookie = explode(":", $user2);
                cookiedecode($user);
                $submitter = $cookie[1];
            }
            // Check if Title exist
            if (empty($title)) {
                include_once("header.php");
                menu(1);
                echo "<br />";
                OpenTable();
                echo "<center><b>"._LINKNOTITLE."</b><br /><br />"
                    .""._GOBACK."";
                CloseTable();
                include_once("footer.php");
            }
            // Check if URL exist
            if (empty($url)) {
                include_once("header.php");
                menu(1);
                echo "<br />";
                OpenTable();
                echo "<center><b>"._LINKNOURL."</b><br /><br />"
                    .""._GOBACK."";
                CloseTable();
                include_once("footer.php");
            }
            // Check if Description exist
            if (empty($description)) {
                include_once("header.php");
                menu(1);
                echo "<br />";
                OpenTable();
                echo "<center><b>"._LINKNODESC."</b><br /><br />"
                    .""._GOBACK."";
                CloseTable();
                include_once("footer.php");
            }
            $cat = explode("-", $cat);
            if (empty($cat[1])) {
                $cat[1] = 0;
            }
            $title = stripslashes(check_html(FixQuotes($title, "nohtml")));
            $url = stripslashes(check_html($url, "nohtml"));
            $description = stripslashes(check_html(FixQuotes($description), "html"));
            $auth_name = stripslashes(check_html($auth_name, "nohtml"));
            if (!empty($email)) {
                if (($email = validate_mail(stripslashes(check_html($email, "nohtml")))) === false) {
                    die();
                }
            }
            $cat[0] = intval($cat[0]);
            $cat[1] = intval($cat[1]);
            $num_new = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_links_newlink WHERE title='$title' OR url='$url' OR description='$description'"));
            if ($num_new == 0) {
                $db->sql_query("insert into ".$prefix."_links_newlink values (NULL, '$cat[0]', '$cat[1]', '".addslashes($title)."', '".addslashes($url)."', '".addslashes($description)."', '".addslashes($auth_name)."', '".addslashes($email)."', '".addslashes($submitter)."')");
            }
            include_once("header.php");
            menu(1);
            echo "<br />";
            OpenTable();
            echo "<center><b>"._LINKRECEIVED."</b><br />";
            if (!empty($email)) {
                echo _EMAILWHENADD;
            } else {
                echo _CHECKFORIT;
            }
            CloseTable();
            include_once("footer.php");
        }
    } else { //RN0000530 - Start of Disable anonymous exploits!
        include_once('header.php');
        menu(1);
        echo '<br />';
        OpenTable();
        echo '<center>'._LINKSNOTUSER1.'<br />'
            ._LINKSNOTUSER2.'<br /><br />'
            ._LINKSNOTUSER3.'<br />'
            ._LINKSNOTUSER4.'<br />'
            ._LINKSNOTUSER5.'<br />'
            ._LINKSNOTUSER6.'<br />'
            ._LINKSNOTUSER7.'<br /><br />'
            ._LINKSNOTUSER8;
        CloseTable();
        include_once('footer.php');
    } //RN0000530 - End of Disable anonymous exploits!
}


Regards,
montego
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©