| Author |
Message |
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
 Posted:
Tue Oct 14, 2003 9:18 pm |
|
To fix the admin.php security exploit, you need to edit auth.php (yes, that's right - auth.php). Your beginning code in auth.php will look something like thisCode:<?php
/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/
require_once("mainfile.php");
if (eregi("auth.php",$_SERVER['PHP_SELF'])) {
Header("Location: index.php");
die();
}
if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {
|
Modify it to thisCode:<?php
/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/
require_once("mainfile.php");
if (eregi("auth.php",$_SERVER['PHP_SELF'])) {
Header("Location: index.php");
die();
}
if (ereg("[^a-zA-Z0-9_-]",trim($aid))) {
die("Begone");
}
$aid = substr("$aid", 0,25);
$pwd = substr("$pwd", 0,18);
if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {
|
|
| |
|
|
|
Anubis_The_Jackal
Court Jester
Joined: Sep 20, 2003
Posts: 106
|
| Posted:
Tue Oct 14, 2003 10:07 pm |
|
does this affect all versions? |
| |
|
|
|
Raven
|
| Posted:
Tue Oct 14, 2003 10:10 pm |
|
My guess is that all versions are affected by all of these exploits. |
| |
|
|
|
|
Anubis_The_Jackal
|
| Posted:
Tue Oct 14, 2003 10:20 pm |
|
what "could" be accessed from it (updating site as I type)?
and how serious would this be, like on a scale of one to five? |
| |
|
|
|
|
Raven
|
| Posted:
Tue Oct 14, 2003 10:23 pm |
|
My understanding is that it allows a person to enter an entry into the authors table, thereby making himself an Admin with full rights <heavy sigh>. Need I say more? |
| |
|
|
|
|
Anubis_The_Jackal
|
| Posted:
Tue Oct 14, 2003 10:28 pm |
|
ahh, so thats how that happened to me. maybe. so many holes. on mafiamods someone made themselfs an admin, and began doing all kinds of stuf to the site, lucky for my i caught it, and deleted them directly from the mysql database. It happened a long time ago, and was one of the co-admins friends. this is when the site was running 6.5, so, hopefully this prevents more "odd" things happening. |
| |
|
|
|
|
Raven
|
| Posted:
Tue Oct 14, 2003 10:31 pm |
|
It is also suspected that they use the exploit to make themself an admin. Then they change the password of a real admin, thereby hijacking a real admin user. They then delete their original admin account and then wreck havoc under the real admin user. |
| |
|
|
|
|
Anubis_The_Jackal
|
| Posted:
Tue Oct 14, 2003 10:35 pm |
|
is there a way to make a *god admins password only changeable by that admin? It is scary if a non *god super user can change a *god's password. It would be a wonderfull thing to have *god admins have their own admin area, where normal admins could not access without a third password.
sor of like an executive washroom. or something. |
| |
|
|
|
|
Raven
|
| Posted:
Tue Oct 14, 2003 10:37 pm |
|
That could be done but that would still not stop this sort of thing. |
| |
|
|
|
|
Anubis_The_Jackal
|
| Posted:
Tue Oct 14, 2003 10:45 pm |
|
i wish there was another more secure method for admins, like an admin account that is invisable to everyone. and unaccesable to everyone but that admin. sort of like, well, a high security admin account that would take decades to get through or to find an exploit. |
| |
|
|
|
|
Frogger
Worker
Joined: Oct 06, 2003
Posts: 108
|
| Posted:
Wed Oct 15, 2003 3:35 pm |
|
I added the fix from http://www.ravenphpscripts.com/postt345.html
with no problems, but when adding this fix, as well I keep getting parse errors.
Obviously, I am not putting it in the right place.
Could you demonstrate it for a dummy, please?  |
_________________
 |
|
 
 |
|
Raven
|
| Posted:
Wed Oct 15, 2003 5:28 pm |
|
If you did a straight copy and paste, the $nastyGram variable is probably split on the lines. Make sure it is a continuous statement with no line breaks. If you just downloaded my 6.9 though, that fix is already in there  |
| |
|
|
|
|
msimonds
Regular
Joined: Jul 15, 2003
Posts: 56
Location: Dallas
|
| Posted:
Thu Oct 16, 2003 9:24 am |
|
i have this from the other admin security fix:
Code:<?php
/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/
$url = getenv("REQUEST_URI");
if (preg_match("/\?admin/", "$url")) {
die("You have been logged and will be investigated for this hacking attempt. Thanks for giving me your information");
}
require_once("mainfile.php");
get_lang(admin);
function create_first($name, $url, $email, $pwd, $user_new) {
global $prefix, $db, $user_prefix;
$first = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_authors"));
if ($first == 0) {
$pwd = md5($pwd);
$the_adm = "God";
$sql = "INSERT INTO ".$prefix."_authors VALUES ('$name', '$the_adm', '$url', '$email', '$pwd', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '1', '')";
$db->sql_query($sql);
if ($user_new == 1) {
$user_regdate = date("M d, Y");
$user_avatar = "blank.gif";
$commentlimit = 4096;
if ($url == "http://") { $url = ""; }
$sql = "INSERT INTO ".$user_prefix."_users (user_id, username, user_email, user_website, user_avatar, user_regdate, user_password, theme, commentmax, user_lang, user_dateformat) VALUES (NULL,'$name','$email','$url','$user_avatar','$user_regdate','$pwd','$Default_Theme','$commentlimit','english','D M d, Y g:i a')";
$db->sql_query($sql);
}
login();
}
}
|
what is the proper way to intergrate this into this change:
Code:<?php
/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/
require_once("mainfile.php");
if (eregi("auth.php",$_SERVER['PHP_SELF'])) {
Header("Location: index.php");
die();
}
if (ereg("[^a-zA-Z0-9_-]",trim($aid))) {
die("Begone");
}
$aid = substr("$aid", 0,25);
$pwd = substr("$pwd", 0,18);
if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {
|
cannot figure this one out!! |
| |
|
 |
|
msimonds
|
| Posted:
Thu Oct 16, 2003 9:34 am |
|
nevermind, i am just dumb, got it, thanks fury |
| |
|
|
|
|
Raven
|
| Posted:
Thu Oct 16, 2003 9:37 am |
|
You do not want to use that fix you are using. It will break the downloads module and something else (I can't remember). I suggest you use mine instead. |
| |
|
|
|
|
Johan1982
New Member
Joined: Oct 23, 2003
Posts: 24
|
| Posted:
Thu Oct 23, 2003 5:00 pm |
|
Use Nuke 6.0 and I used that patch, my surprise is that it does not let administer the Site to me, appears me the message of "Begone" and I cannot enter the Menu of Administration how is possible to be adapted that fix for Nuke 6.0? |
| |
|
|
|
|
Raven
|
| Posted:
Thu Oct 23, 2003 5:24 pm |
|
If this is the code you're talking aboutCode:if (ereg("[^a-zA-Z0-9_-]",trim($aid))) {
die("Begone");
}
|
Then it would imply that your admin username may have other characters in it than
a-z
A-Z
0-9
_
-
Is that the case? |
| |
|
|
|
|
Johan1982
|
| Posted:
Thu Oct 23, 2003 10:48 pm |
|
It does not have them, but my Admin username has a space, that patch simply blocks the access to the administration of the Site, reason why nonuse that patch.
Nuke 6.0 has that vulnerability? how I can cause that that patch works to me, that does not block me to me |
| |
|
|
|
|
Raven
|
| Posted:
Fri Oct 24, 2003 4:42 am |
|
You misunderstand. This patch ONLY allows those characters. A space is NOT allowed so that is why it is failing. Try thisCode:if (ereg("[^a-zA-Z0-9_\s-]",trim($aid))) {
die("Begone");
}
|
I didn't test it but I think that should work. |
| |
|
|
|
|
Johan1982
|
| Posted:
Fri Oct 24, 2003 9:19 am |
|
I already proved, and the result was the same one, it appears to me "Begone" and it is impossible to administer the Site.
My Admin username is Nacional Olimpia |
| |
|
|
|
|
Johan1982
|
| Posted:
Fri Oct 24, 2003 9:22 am |
|
Yes that seems that the Space causes the failure, but I do not want to change that nick, how I can do it without it affects the space to me?  |
| |
|
|
|
|
Raven
|
| Posted:
Fri Oct 24, 2003 9:23 am |
|
This should workCode:if (ereg("[^a-zA-Z0-9_ -]",trim($aid))) {
die("Begone");
}
|
|
| |
|
|
|
|
Johan1982
|
| Posted:
Fri Oct 24, 2003 9:36 am |
|
Thank you very much, now yes it works to me, I even sent the news and everything seems to go perfectly, I will continue proving in case there is some problem of what treats that bug?
 Greetings |
| |
|
|
|
|
TheosEleos
Life Cycles Becoming CPU Cycles
Joined: Sep 18, 2003
Posts: 960
Location: Missouri
|
| Posted:
Mon Oct 27, 2003 2:22 pm |
|
Mine got broke also Raven.
My admin name is Pro[pH]et so it is probably the brackets that did it. Can you give me some code for that?
Also, could either of these security fixes affect user registration in any way? I got a report that registration was broke right after applying these two fixes. |
_________________
http://jamesdibben.com |
|
|
|
|
Raven
|
| Posted:
Mon Oct 27, 2003 2:29 pm |
|
Code:if (ereg("[^a-zA-Z0-9_ -\[\]]",trim($aid))) {
die("Begone");
}
|
I can't think of any way this would 'break' user registration unless names were entered with symbols not in this string. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
