Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> phpnuke 7.6
Author Message
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Thu Feb 10, 2005 8:00 pm Reply with quote

I have been mulling over the Chatserv 2.8 patches for 7.6 to keep from the admin files getting accessed directly and the new 7.6 admin_file structure. My original thought was panic that I am hearing many people say to not bother with renaming the admin file because I was thinking that with register globals on, couldn't someone simply provide ADMIN_FILE=true and admin_file=admin within the URL variable list and access case.php, index.php, and links.php?

I am still learning PHP, so please bear with this possibly very basic question, but how is the following code working to guarantee no direct access of scripts like these under the modules/xxxxxxx/admin/ directory?

Code:


if ( !defined('ADMIN_FILE') )
{
   die("Illegal File Access");
}

global $admin_file;
if (!stristr($_SERVER['SCRIPT_NAME'], "".$admin_file.".php")) { die ("Access Denied"); }


Now for my second question setup. If the above is truelly keeping the "kiddies" out, then could not the following code be used to be able to apply the same code to both 7.5 and 7.6 modules so that one does not have to maintain two separate downloads?

Code:


if ( !defined('ADMIN_FILE') )
{
   die("Illegal File Access");
}

global $admin_file;
if (!isset($admin_file)) {
   $admin_file = "admin";
}
if (!stristr($_SERVER['SCRIPT_NAME'], "".$admin_file.".php")) { die ("Access Denied"); }


Could come knowledgeable person please help me understand if this would be appropriate and if not, how it can be exploited?

I really don't want to have to maintain two separate distributions for 7.5 and 7.6 new modules if I don't have to.

Thanks!
montego
 
View user's profile Send private message Visit poster's website
sixonetonoffun
Spouse Contemplates Divorce



Joined: Jan 02, 2003
Posts: 2496

PostPosted: Thu Feb 10, 2005 9:39 pm Reply with quote

I'd sit tight a while chatserv is working to make the changes uniform in the 2.9 patched series that is being worked on. It will be a little work to get everything updated but why do it 2 x's if you don't have to.

Changelog 2.9 : [ Only registered users can see links on this board! Get registered or login! ]

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
montego







PostPosted: Thu Feb 10, 2005 10:13 pm Reply with quote

Hhhmmmm... such a simple solution. By the way, I am still wanting to understand how with register_globals on (like in many, many nuke sites) how ADMIN_FILE cannot be defined from the URL. This is really bothering me... I am sure its just my misunderstanding on how register globals directive in php.ini works...

TIA,
montego
 
daemonic
New Member
New Member



Joined: Feb 15, 2005
Posts: 1

PostPosted: Tue Feb 15, 2005 1:05 pm Reply with quote

montego wrote:
By the way, I am still wanting to understand how with register_globals on (like in many, many nuke sites) how ADMIN_FILE cannot be defined from the URL. This is really bothering me... I am sure its just my misunderstanding on how register globals directive in php.ini works...


Your confusion stems from a misunderstanding of variables and constants. ADMIN_FILE is a constant, not a variable. Once a constant is defined and given a value (in this case in config.php), the value of that constant cannot be changed by any other scripts, nor can it be re-defined.

Make sense?
 
View user's profile Send private message
montego







PostPosted: Tue Feb 15, 2005 8:27 pm Reply with quote

Awesome! Thanks!
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> phpnuke 7.6

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©