Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
oprime2001
Worker
Worker


Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA

PostPosted: Mon Sep 13, 2004 9:18 am Reply with quote

Do the Only registered users can see links on this board! Get registered or login! fix the security hole that allows the following Only registered users can see links on this board! Get registered or login!? Fortunately, I have Only registered users can see links on this board! Get registered or login! on my sites which is another layer of security that the above script cannot defeat easily.
 
View user's profile Send private message
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Mon Sep 13, 2004 9:44 am Reply with quote

Have not tested that but 2.6 does, you won't be able to view the admins or perform the other authors.php functions if not logged in as an admin, if you are using 7.5 test it by logging out as admin and then running that hack, you should be asked to login after you click the display button, let me know how it goes, hopefully i will be updating the patches to 2.6 if nothing else is reported.
 
View user's profile Send private message Visit poster's website
GeekyGuy
Client


Joined: Jun 03, 2004
Posts: 302
Location: Huber Heights Ohio

PostPosted: Mon Sep 13, 2004 9:57 am Reply with quote

I tested it on my 7.5 site, and it did bring up the pop up Login box

_________________
"The Daytona 500 is ours! We won it, we won it, we won it!", Dale Earnhardt, February 15th, 1998, Daytona 500 
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger ICQ Number
chatserv
PostPosted: Mon Sep 13, 2004 11:30 am Reply with quote

I'm under the impression that what is meant to happen with this hack is that site admins that would normally not be able to perform these actions can because of a faulty access check so i will run some tests with that in mind, if that is the case then i will edit the file so that only the superuser gets access, the check at the start of the file does not seem to be doing the job for whatever reason.
 
chatserv
PostPosted: Mon Sep 13, 2004 11:46 am Reply with quote

Nope, created a new admin, gave it access to several modules, logged in as him, ran the script and got a Access Denied message.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©