Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> How To's
Author Message
SuperCat
Hangin' Around


Joined: Nov 27, 2004
Posts: 37
Location: MN

PostPosted: Mon Nov 29, 2004 9:17 pm Reply with quote

I've been mulling this over ever since i made my shout box able to use the URL redirect in the shout box admin area. Having the URL redirect in the admin files themselves is important. I understand its there to hide the name of admin.php when its been renamed to something else. Heres the possible hole...

When viewing an admin page, there are blocks on the left side of the page. Some of these blocks have URLs pointing offsite. I doubt any of these blocks have the URL redirect built into them. If an admin clicks on a link in one of these blocks while viewing the admin area, they will be giving away their admin.php filename.

There are three possible solutions to this:

1. dont click links in the blocks that lead offsite. (not foolproof)
2. make the blocks on the left side not show when viewing the admin area (restrictive).
3. Have people recode their blocks.

If im going to recode my blocks, i think it should check for a couple things.

1. Is the user an admin?
2. are they viewing an admin page?
3. does this link go offsite?

I posted in another thread about how to implement the URL redirect yet maintain backward compatability by adding a variable to the beginning of the URL. If all 3 of these questions are true, the variable will have index.php?= in it, else it is an empty variable rendering a normal URL.

Comments anyone?

_________________
How deep can we dig the rabbit hole? 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Mon Nov 29, 2004 9:53 pm Reply with quote

Its a legitimate concern and it also begs to ask the question is this something (renaming the admin file) worth wasting our time on? Frankly your right the entire redirection code should be recoded to not allow admins to click any link while in the admin area to other domains. But c'mon its still not IIS compatable after 4 years.

Its something to think about and I'm glad you brought it up for discussion because it really blows me away that what IMO was better left as a hack was put into the public version at the expense of breaking many third party addon links ect...

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
sixonetonoffun
PostPosted: Mon Nov 29, 2004 9:56 pm Reply with quote

Not to mention articles submitted with offsite images posted to them UHG!
 
SuperCat
PostPosted: Tue Nov 30, 2004 6:49 pm Reply with quote

My Shout Box seems like an area that users could use it for this by putting a URL in it. But it only took me about 5 minutes to add code that adds in the url redirect if conditions are right. I will be adding this technique to my other blocks too.

I think this is a great idea. And taking the extra step for security is something MS never did and thats why they are paying for it now. Us as coders need to start being proactive and taking that extra step.

Maybe if we came up with a standardized block/module description that shows in the downloads that says it does X Y and Z. When i first started making my stuff, i wasnt aware of the possibilities. If it was that blatant in a downloads area, i would've made the effort to cover those areas.

Keep in mind that we area all making this up as we go. I'm sure there wasnt any rules out there to go by when the airline industry was in its infancy.
 
sixonetonoffun
PostPosted: Tue Nov 30, 2004 7:23 pm Reply with quote

I'm all for improving standards I just don't think the security though obscurity concept helps that much in this case. But it is what it is and we'll keep hacking it to make it better!
 
sixonetonoffun
PostPosted: Tue Nov 30, 2004 7:41 pm Reply with quote

Since chatserv hasn't been busy enough (he's only released an updated bbtonuke package and a fresh release of the patched series and some other packages he maintains this past week or so) we could colaborate on a cookie theft and path disclosure exploit for this wink*
 
SuperCat
PostPosted: Tue Nov 30, 2004 9:00 pm Reply with quote

heh, one of my goals is to be part of the nuke development team (if there is one).
 
sixonetonoffun
PostPosted: Tue Nov 30, 2004 9:19 pm Reply with quote

I'm just razzin

The best way to be involved is to work with finding/fixing issues and contribute them to chatserv's effort. If they are valid he will in turn often get them into his work with the patched files. Which sometimes get into the main distro even. I wouldn't limit suggestions to the security issues either there are plently of other area's worth exploring too. I see you posting on the other topic started by 64bitguy too so I know your interested beyond finding a hole and getting your name on bugtraq.
 
sixonetonoffun
PostPosted: Tue Nov 30, 2004 9:52 pm Reply with quote

Maybe I'm not being totally fair to either chatserv or FB. FB will often decide to include user submitted fixes but right now I wouldn't even know how to contribute them aside from submitting them as news to phpnuke.org since most other mods of contact have been cut off due the large number of disruptions created (comments and forums) in the past.
 
SuperCat
PostPosted: Wed Dec 01, 2004 9:08 pm Reply with quote

What id rather do is take a whole module and fix all the validation issues in it. Add end tags to things. Remove caps. etc. Do it once and not every 6 months. This is something that wouldnt affect the way the author intended the module to work.
 
sixonetonoffun
PostPosted: Wed Dec 01, 2004 9:55 pm Reply with quote

I gave up I get to beta a lot of neat stuff around here and am working with the CNB Your Account team which is really a ton of fun.

I know Shawn at nukestyles started with the idea of improving some default modules but in the end the updates train blew right past him. I'm sure you'll find a niche to work from. As with anything if you build it they will download it. Getting changes into the main distro is always hit and miss. I have spent countless hours of frustration finding bugs only see them version after version. Your Account has been one of the worst long standing issues. Since I couldn't effect changes to it I am now able to participate in offering a alternative solution.

Chatserv has been so great with the patched series but there is a limit to what he can do and support on his own. FB might integrate one change and skip another for no appearent reason. But without turning this into a flame thats about all I care to say on the topic of how or why phpnuke development is accomplished there is a recipe and a cook but thats all I know.
 
SuperCat
PostPosted: Sun Dec 05, 2004 3:07 pm Reply with quote

I have posted an extensive article about this and the code to easily resolve this issue here: Only registered users can see links on this board! Get registered or login!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> How To's

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©