Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Muffin
Client


Joined: Apr 10, 2004
Posts: 649
Location: UK

PostPosted: Wed Jan 12, 2005 7:48 pm Reply with quote

I've just uploaded Chat's latest patches and when I go into Admin and try to do anything I get a plain white page with Access Denied top left corner.

I had edited admin.php here where required:

Quote:

// Uncomment the following block of code after editing the next line to match your site domain
$domainname = "www.minicitymag.com/nuke/html";
if ($_SERVER['SERVER_NAME'] != $domainname ) {
echo "Access denied";
die();
}
/************************************************************************/


Here's the original block:

Quote:

// Uncomment the following block of code after editing the next line to match your site domain
/*$domainname = "www.yourdomainname.com";
if ($_SERVER['SERVER_NAME'] != $domainname ) {
echo "Access denied";
die();
}*/
/************************************************************************/


If I leave the block commented I can get into Admin but not with it commented out and my domain name entered. Have I taken out something other than I should have?

_________________
Classic Mini rules the bends & bends the rules!
[img] 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Wed Jan 12, 2005 7:50 pm Reply with quote

Have you tried
$domainname = "www.minicitymag.com";
instead of
$domainname = "www.minicitymag.com/nuke/html";
 
View user's profile Send private message
Muffin
PostPosted: Wed Jan 12, 2005 7:52 pm Reply with quote

Yes I put that first and still got the access denied page Raven.

Thanks for the fast reply
 
Raven
PostPosted: Wed Jan 12, 2005 7:56 pm Reply with quote

Save the following code and call it whatever you want. Then. upload it to your web server and execute it. Let's see what it shows
Code:
<?

echo $_SERVER['SERVER_NAME'];
die();
?>
 
Muffin
PostPosted: Wed Jan 12, 2005 7:58 pm Reply with quote

ok will do
 
Muffin
PostPosted: Wed Jan 12, 2005 8:01 pm Reply with quote

minicitymag.com

so do I leave the www off the domain name? lol
 
Raven
PostPosted: Wed Jan 12, 2005 8:03 pm Reply with quote

Yep.
 
Muffin
PostPosted: Wed Jan 12, 2005 8:05 pm Reply with quote

Yup that did it Raven I had to just put minicitymag.com and leave the Only registered users can see links on this board! Get registered or login! off the front

Thanks Raven

I'm still getting html tags arent allowed when I try to change anything in preferences tho, so uploading the latest patches didnt resolve that mystery.

The error page that tells me the html tags are not allowed when I look at the page source it says

Quote:

<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href="javascr ipt:history.go(-1)"><b>Go Back</b></a> ]



and it's showing an image from my shop on the top, but the url in the searchbar says the site url and admin.php on the end.

Weird.
 
Raven
PostPosted: Wed Jan 12, 2005 8:13 pm Reply with quote

Did you add the if (is_admin($admin)) logic like I suggested?
 
Muffin
PostPosted: Wed Jan 12, 2005 8:17 pm Reply with quote

No I had a look through the forums and couldn't find it Raven.

I didnt really know what I was looking for sorry.

Can you give me a link please?
 
Raven
PostPosted: Wed Jan 12, 2005 8:22 pm Reply with quote

Do a search for ALL terms on
is_admin($admin)
 
Muffin
PostPosted: Wed Jan 12, 2005 8:37 pm Reply with quote

OK I found it in this thread Only registered users can see links on this board! Get registered or login!

edited my mainfile very carefully as instructed in that thread and got this error page

Parse error: parse error, unexpected $ in /home/minicity/public_html/nuke/html/mainfile.php on line 1153

Line 1153 is a blank line above the closing ?>


Last edited by Muffin on Wed Jan 12, 2005 8:41 pm; edited 1 time in total 
Raven
PostPosted: Wed Jan 12, 2005 8:40 pm Reply with quote

Did you add the closing brace at the end?
 
Muffin
PostPosted: Wed Jan 12, 2005 8:47 pm Reply with quote

ermmm pass lol

Here's what my block of code looks like in my mainfile:

Quote:

if (!is_admin($admin)) {
foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue)) ||
(eregi("forum_admin", $var_name)) ||
(eregi("inside_mod", $var_name))) {
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javasc ript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}

foreach ($_POST as $secvalue)


should there be another ) on this line after the last 2?

[quote](eregi("\"", $secvalue)) ||


Last edited by Muffin on Wed Jan 12, 2005 8:51 pm; edited 1 time in total 
Raven
PostPosted: Wed Jan 12, 2005 8:49 pm Reply with quote

A couple of things wrong. Your code, before, looks something like this
Code:
foreach ($_GET as $secvalue) { 

    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
   (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
   (eregi("\"", $secvalue))) {
   die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}

foreach ($_POST as $secvalue) {
    if ((eregi("<[^>]script*\"?[^>]*>", $secvalue)) ||   (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
        die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}

You need to change it to this
Code:
if (!is_admin($admin)) {

foreach ($_GET as $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
   (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
   (eregi("\"", $secvalue))) {
   die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}

foreach ($_POST as $secvalue) {
    if ((eregi("<[^>]script*\"?[^>]*>", $secvalue)) ||   (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
        die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}
}
 
Muffin
PostPosted: Wed Jan 12, 2005 8:55 pm Reply with quote

ok thanks for your patience Raven.

Why do I have extra lines in my code?

Quote:
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
(eregi("\"", $secvalue)) ||
(eregi("forum_admin", $var_name)) ||
(eregi("inside_mod", $var_name))) {


This is the latest patch mainfile so is that why?


Last edited by Muffin on Wed Jan 12, 2005 8:58 pm; edited 1 time in total 
Raven
PostPosted: Wed Jan 12, 2005 8:57 pm Reply with quote

Mine is from 6.9 so those were probably added in the later releases/patches Smile
 
Muffin
PostPosted: Wed Jan 12, 2005 8:58 pm Reply with quote

Oh I see, I was worried there for a moment lol

Thanks Raven, sorry for being a slow learner (its my age lol)
 
Raven
PostPosted: Wed Jan 12, 2005 9:00 pm Reply with quote

Cheers
 
Muffin
PostPosted: Wed Jan 12, 2005 9:08 pm Reply with quote

Thank you Raven it works perfectly, and for your time, much appreciated.

xxxxx
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©