Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
stephen2417
Worker
Worker



Joined: Jan 18, 2004
Posts: 244
Location: Bristolville, OH

PostPosted: Fri Jun 04, 2004 5:32 pm Reply with quote

[ Only registered users can see links on this board! Get registered or login! ]

Chat is this covered in yor patches??

If not i think you better fix it up now and go to 2.5
 
View user's profile Send private message Visit poster's website
chatserv
Member Emeritus



Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Fri Jun 04, 2004 5:55 pm Reply with quote

You can tell school's out huh? try the Exploitation Example on your site and let me know if you get anything other than a 403 page.
 
View user's profile Send private message Visit poster's website
stephen2417







PostPosted: Fri Jun 04, 2004 6:00 pm Reply with quote

Yeppers.. Ive been out for about two weeks now.. But becides the point. Your the man, its 403 all the way. Very Happy Very Happy
 
Tank863
New Member
New Member



Joined: May 29, 2003
Posts: 16

PostPosted: Sat Jun 05, 2004 10:12 am Reply with quote

Chat...

Try this as a proof of concept.
[ Only registered users can see links on this board! Get registered or login! ]

I was trying what 'they' suggested and all I got was the 403 page...
I tried the above and bamm..

Code:


Warning: main(mainfile.php): failed to open stream: No such file or
directory in /usr/local/apache/htdocs/xxxx/modules/News/categories.php on line 19

Fatal error: main(): Failed opening required 'mainfile.php' (include_path='./:/usr/local/lib/php:/usr/lib/php:/usr/bin/:/usr/
share/pear') in /usr/local/apache/htdocs/xxxx/modules/News/categories.php
on line 19
 
View user's profile Send private message
Tank863







PostPosted: Sat Jun 05, 2004 10:29 am Reply with quote

Chat... see this string..

hope it helps Very Happy
[ Only registered users can see links on this board! Get registered or login! ]

Tank863
 
sixonetonoffun
Spouse Contemplates Divorce



Joined: Jan 02, 2003
Posts: 2496

PostPosted: Sat Jun 05, 2004 10:41 am Reply with quote

Since literally every file is potentially effected I'd say this is one for FB to address with a release of a new version.

But that aside the actual vulnerability still can only be exploited by people who live on your server and then only if its poorly configured. The path disclosure part is valid to the world but is minor overall in and of itself.
 
View user's profile Send private message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Sat Jun 05, 2004 10:46 am Reply with quote

Tank863 wrote:
Chat... see this string..

hope it helps Very Happy
[ Only registered users can see links on this board! Get registered or login! ]

Tank863
The topic or post you requested does not exist
 
View user's profile Send private message
sixonetonoffun







PostPosted: Sat Jun 05, 2004 10:51 am Reply with quote

I guess my point was this isn't much different then someone accessing ect/passwd which can also be done easily on a shared server not in safe_mode.
 
Raven







PostPosted: Sat Jun 05, 2004 11:07 am Reply with quote

True. I said this in another article - if someone has been able to place a symlink on your server, you have greater problems than nuke!
[ Only registered users can see links on this board! Get registered or login! ]
 
sixonetonoffun







PostPosted: Sat Jun 05, 2004 11:16 am Reply with quote

I'm not trying to discount the issue. I just think that since to patch this it will require every file to be modified a new release is the best way to address the problem. But maybe an "Official PHPNuke" development site can address this issue for us all.
 
Tank863







PostPosted: Sat Jun 05, 2004 11:21 am Reply with quote

Sorry... here is the link... I guess it hanged from the last post..
[ Only registered users can see links on this board! Get registered or login! ]
 
Raven







PostPosted: Sat Jun 05, 2004 11:32 am Reply with quote

Try adding this line to your .htaccess file

php_flag display_errors off

You should get a blank screen. I can write an error_handler at the PHP level to throw up another screen.


Last edited by Raven on Sat Jun 05, 2004 11:46 am; edited 1 time in total 
Tank863







PostPosted: Sat Jun 05, 2004 11:41 am Reply with quote

Raven.. that worked.. it did give me the blank screen...

Very Happy Very Happy
 
Raven







PostPosted: Sat Jun 05, 2004 11:43 am Reply with quote

There are actually several ways to corral this path disclosure issue. It is not nuke constrained/unique, although we all know we can depend on FB to provide fertile ground to play in Laughing Anyway, I'm going to work on this this weekend and see what I can come up with.
 
Raven







PostPosted: Sat Jun 05, 2004 11:45 am Reply with quote

Tank863 wrote:
Raven.. that worked.. it did give me the blank screen...

Very Happy Very Happy
I modified my other post to use php_flag instead of php_value - just a tweak for speed. Keep in mind that ALL errors will get a blank screen until the error handler is provided.


Last edited by Raven on Sat Jun 05, 2004 12:00 pm; edited 1 time in total 
Tank863







PostPosted: Sat Jun 05, 2004 11:49 am Reply with quote

Yes.. that one does make a slight difference in speed.. Very Happy
 
Raven







PostPosted: Sat Jun 05, 2004 12:11 pm Reply with quote

Keep in mind that if you use solely a php script solution, like ini_set(), you would need to place that on every page, whether through an include or actually on each page. That is where .htaccess obviously has an advantage. But for those that do not use Apache, then you will need to either do it at a server level pnp.ini level or at the php script level.
 
Raven







PostPosted: Sat Jun 05, 2004 12:44 pm Reply with quote

Also, (sorry for all the addendums) just adding code to mainfile.php will work in many of the cases but there is no "rule" that mainfile.php must be called in addons. It's a convenience, not a requirement. And more importantly, this particular exploit (root path disclosure) is solely to display the root path, it is not to conform to nuke "rules" of coding. That's why a fix has to be at a higher level and cannot be not nuke specific.
 
foxyfemfem
New Member
New Member



Joined: Dec 07, 2003
Posts: 22
Location: USA

PostPosted: Sat Jun 05, 2004 1:17 pm Reply with quote

Raven wrote:
That's why a fix has to be at a higher level and cannot be not nuke specific.
I assume you're referring to a php stand alone fix.. right? I use several php programs throughout my site in sub domains, therefore I added your .htaccess fix to all of my sub domains. Thanks!
 
View user's profile Send private message
Brujo
Regular
Regular



Joined: Jun 04, 2004
Posts: 84
Location: Germany

PostPosted: Sat Jun 05, 2004 2:23 pm Reply with quote

Raven wrote:
Try adding this line to your .htaccess file

php_flag display_errors off

You should get a blank screen. I can write an error_handler at the PHP level to throw up another screen.


if i put it in my .htaccess i got an Internal Server Error, is there another way to do it ?

with bet regards
Brujo
 
View user's profile Send private message
Raven







PostPosted: Sat Jun 05, 2004 3:25 pm Reply with quote

Brujo wrote:
Raven wrote:
Try adding this line to your .htaccess file

php_flag display_errors off

You should get a blank screen. I can write an error_handler at the PHP level to throw up another screen.


if i put it in my .htaccess i got an Internal Server Error, is there another way to do it ?

with bet regards
Brujo
Are you allowed to use .htaccess at your site? If so, then your host has restricted what php settings you can change. Try php_value instead of php_flag. If that still does not work, contact your host and ask them to allow the changing of display_errors via .htacess.
 
Raven







PostPosted: Sat Jun 05, 2004 3:28 pm Reply with quote

foxyfemfem wrote:
Raven wrote:
That's why a fix has to be at a higher level and cannot be not nuke specific.
I assume you're referring to a php stand alone fix.. right? I use several php programs throughout my site in sub domains, therefore I added your .htaccess fix to all of my sub domains. Thanks!
Correct. Actually, if you just place it in your root document .htaccess it should flow throiugh to all subdomains, but it might be easier to have a separate .htaccess in each subdomain for convenience and organization. Better safe than sorry Wink
 
Brujo







PostPosted: Sat Jun 05, 2004 3:32 pm Reply with quote

Raven wrote:
Are you allowed to use .htaccess at your site? If so, then your host has restricted what php settings you can change. Try php_value instead of php_flag. If that still does not work, contact your host and ask them to allow the changing of display_errors via .htacess.


Yes htaccess is allowed for me and it seems you are right that it is not allowed to change the php settings, so i opend a Ticket at my hoster.

thanks for your quick responce

with bet regards
Brujo
 
Raven







PostPosted: Mon Jun 07, 2004 9:58 am Reply with quote

See this thread for a possible fix for .htaccess users

[Edited by Raven. I have enough tests and feedback to see if this is worth it. Thanks!]
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©