PHP-Nuke admin.php security hole fix

Raven · Posted: Tue Oct 14, 2003 1:16 pm

To fix the admin.php security exploit, you need to edit admin.php. Your beginning code in admin.php will look something like this

Code:

<?php

/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/

require_once("mainfile.php");
get_lang(admin);

Modify it to look like this

Code:

<?php

/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/
$nastyGram = "<center>:: Thanks for providing me with your connection information! You have been caught attempting to break into my site and appropriate action will be taken. ::</center>";
$myPHPVersion = str_replace('.','',phpversion());
if ($myPHPVersion>=410) $checkMyUrl = $_SERVER['REQUEST_URI'];
else $checkMyUrl = getenv("REQUEST_URI");
if (preg_match("/\?admin/", "$checkMyUrl")) {
require_once("mainfile.php");
include("header.php");
OpenTable();
echo $nastyGram;
CloseTable();
include "footer.php";
die();
}

require_once("mainfile.php");
get_lang(admin);

The $nastyGram variable can be modified to be whatever you want it to. You could display a message and then relocate them to the FBI page for something novel Laughing

.

blith · Client Joined: Jul 18, 2003 Posts: 977

this is nice!! Can we check to see if it is working somehow?

Raven · Posted: Tue Oct 14, 2003 2:25 pm

The exploit was being accessed through code like this. I will only give enough to allow you to test - don't want to publish more than that here.

Only registered users can see links on this board!
Get registered or login to the forums!

That should be enough to test it.

blith · Client Joined: Jul 18, 2003 Posts: 977

oh okay thanks... thanks for being on the lookout Mr. Raven!!

fury · Worker Joined: Sep 09, 2003 Posts: 165

hehehehehe works great thanks Raven

mattomus · New Member Joined: Aug 01, 2003 Posts: 5

Great work!

Is there a way to perhaps pm or e-mail the admin(s) when this message is displayed, so they can manually or automatically take corrective action?

Raven · Posted: Wed Oct 15, 2003 1:11 pm

What admins?

Frogger · Worker Joined: Oct 06, 2003 Posts: 108

Kewl. Works Great!

mattomus · New Member Joined: Aug 01, 2003 Posts: 5

Oops, I said admin(s) what I meant to say is that a site administrator(s) that has just had this exploit or one like it, run on her/his patched site, by someone other than himself/herself, could probably benefit from knowing about the incident sooner rather than later.

For instance, it might be useful for that site administrator to be notified via e-mail or instant message, with the connection information and details of visitors that have been presented with the $nastyGram on their site(s). In this way they could manually take action, if that was what they wanted to do.

Another idea that comes to mind is the following:

If the ip address of the visitor that has been presented with the $nastyGram is not equal that of the true site administrator, then the ip address of that visitor might be automatically banned?

I do not have the skills required to implement the above ideas at this time, I am Just thinking out loud.

Frogger · Worker Joined: Oct 06, 2003 Posts: 108

The Protector 1.13b mod can help with that.

You can find it at

Only registered users can see links on this board!
Get registered or login to the forums!

It protects admin IPs and you can also assign members to the protection.

It autobans and gives you the option to add more, tracks ips, who/where online, how long, reverse lookup, etc..

mattomus · New Member Joined: Aug 01, 2003 Posts: 5

Thanks for the tip frogger, this looks great! Is there a mod availible for 1.13b?

Frogger · Worker Joined: Oct 06, 2003 Posts: 108

mattomus wrote:

Thanks for the tip frogger, this looks great! Is there a mod availible for 1.13b?

I just woke up, so the ole grey cells aren't fully functional at the moment, so . . .

Not sure what you mean. Sounds like you found the site and the mod.

If you're not in a hurry to get Protector, you should wait until 1.14b is available sometime this week.

mattomus · New Member Joined: Aug 01, 2003 Posts: 5

I will wait for 1.14b

thank you

Frogger · Worker Joined: Oct 06, 2003 Posts: 108

What is the difference between these two fixes to the admin.php? Is all that stuff in the other code really necessary to fix the problem being addressed?

Your fix

Code:

$nastyGram = "<center>:: Thanks for providing me with your connection information! You have been caught attempting to break into my site and appropriate action will be taken. ::</center>";
$myPHPVersion = str_replace('.','',phpversion());
if ($myPHPVersion>=410) $checkMyUrl = $_SERVER['REQUEST_URI'];
else $checkMyUrl = getenv("REQUEST_URI");
if (preg_match("/\?admin/", "$checkMyUrl")) {
require_once("mainfile.php");
include("header.php");
OpenTable();
echo $nastyGram;
CloseTable();
include "footer.php";
die();
}

require_once("mainfile.php");
get_lang(admin);

Fix posted at the other site.....

Code:

$checkmyurl = getenv("REQUEST_URI");

if (preg_match("/\?admin/", "$checkmyurl")) {
echo "die";
exit;
}
require_once("mainfile.php");
get_lang(admin);

function create_first($name, $url, $email, $pwd, $user_new) {
global $prefix, $db, $user_prefix;
$first = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_authors"));
if ($first == 0) {
$pwd = md5($pwd);
$the_adm = "God";
$sql = "INSERT INTO ".$prefix."_authors VALUES ('$name', '$the_adm', '$url', '$email', '$pwd', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '1', '')";
$db->sql_query($sql);
if ($user_new == 1) {
$user_regdate = date("M d, Y");
$user_avatar = "blank.gif";
$commentlimit = 4096;
if ($url == "http://") { $url = ""; }
$sql = "INSERT INTO ".$user_prefix."_users (user_id, username, user_email, user_website, user_avatar, user_regdate, user_password, theme, commentmax, user_level, user_lang, user_dateformat) VALUES (NULL,'$name','$email','$url','$user_avatar','$user_regdate','$pwd','$Default_Theme','$commentlimit', '2', 'english','D M d, Y g:i a')";
$db->sql_query($sql);
}
login();
}
}

Raven · Posted: Tue Oct 21, 2003 7:52 am

Code:

$myPHPVersion = str_replace('.','',phpversion());
if ($myPHPVersion>=410) $checkMyUrl = $_SERVER['REQUEST_URI'];
else $checkMyUrl = getenv("REQUEST_URI");

You need this code at a minimum. The other is at your discretion.

Frogger · Worker Joined: Oct 06, 2003 Posts: 108

As I thought....pretty much overkill, then.

I'm using your code. Smile

Was just wondering about the other.

southern · Client Joined: Jan 29, 2004 Posts: 579 Location: Texas

Frogger wrote:

The Protector 1.13b mod can help with that.

You can find it at

Only registered users can see links on this board!
Get registered or login to the forums!

It protects admin IPs and you can also assign members to the protection.

It autobans and gives you the option to add more, tracks ips, who/where online, how long, reverse lookup, etc..

Oh, I can attest to the efficacy of the Protector! I have it on my site and just from idle, mindless curiosity I ran Raven's snippet above and behold I banned myself.
{ edited by admin at user's request }
Go ahead, click that link. I dare you! Now I have to figure out how to unban myself, any ideas?

Raven · Posted: Fri Jan 30, 2004 4:06 pm

Uninstall it. It's a known bug.

southern · Client Joined: Jan 29, 2004 Posts: 579 Location: Texas

Raven wrote:

Uninstall it. It's a known bug.

OK. Live and learn... I hate full moons!

gazj · Posted: Mon Apr 14, 2008 11:30 pm

this exploit is now fixed in the latest nuke patched series so upgrade to that to fix the problem Smile

Raven · Posted: Tue Apr 15, 2008 1:25 am

Gazj,

Thanks for this information but you are replying to a post that is over 4 years old Smack

. This has long since been put to rest Wink

gazj · Posted: Tue Apr 15, 2008 1:38 am

i know buddy but just saying as some people that isnt nuke minded wont know the differnce and ask a question anyways Razz

southern · Client Joined: Jan 29, 2004 Posts: 579 Location: Texas

That beats my record for oldest post replied to lol

Gremmie · Posted: Wed Apr 16, 2008 6:57 am

gazj wrote:

i know buddy but just saying as some people that isnt nuke minded wont know the differnce and ask a question anyways Razz

Well then you have a lot of work cut out for you with all the threads here. Laughing

sebastiaan · Posted: Sat Jul 18, 2009 1:44 am

Raven wrote:

To fix the admin.php security exploit, you need to edit admin.php. Your beginning code in admin.php will look something like this

Code:

<?php

/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/

require_once("mainfile.php");
get_lang(admin);

Modify it to look like this

Code:

<?php

/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/
$nastyGram = "<center>:: Thanks for providing me with your connection information! You have been caught attempting to break into my site and appropriate action will be taken. ::</center>";
$myPHPVersion = str_replace('.','',phpversion());
if ($myPHPVersion>=410) $checkMyUrl = $_SERVER['REQUEST_URI'];
else $checkMyUrl = getenv("REQUEST_URI");
if (preg_match("/\?admin/", "$checkMyUrl")) {
require_once("mainfile.php");
include("header.php");
OpenTable();
echo $nastyGram;
CloseTable();
include "footer.php";
die();
}

require_once("mainfile.php");
get_lang(admin);

The $nastyGram variable can be modified to be whatever you want it to. You could display a message and then relocate them to the FBI page for something novel Laughing

.

Code:

translated to dutch:

<?php

/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/
$nastyGram = "<center>:: Dank voor het leggen van deze verbinding! You Alleen je hebt nu een probleem, je ben aangemeld als hacking athempt. ::</center>";
$myPHPVersion = str_replace('.','',phpversion());
if ($myPHPVersion>=410) $checkMyUrl = $_SERVER['REQUEST_URI'];
else $checkMyUrl = getenv("REQUEST_URI");
if (preg_match("/\?admin/", "$checkMyUrl")) {
require_once("mainfile.php");
include("header.php");
OpenTable();
echo $nastyGram;
CloseTable();
include "footer.php";
die();
}

require_once("mainfile.php");
get_lang(admin);