|
Page 1 of 1
|
 Bicet 
Joined: August 2006
Posts: 78
Location:  Venice
|
 Security Hole And PhpGlobals
If you have Register Global set to ON, there's a possible vulnerability to the Nivisec Hacks List, that could lead to the inclusion of external files:
PLEASE DELETE
/adm/admin_hacks_list.php
We will solve the security whoops ASAP.
In the meantime the deletion is the only solution.
|
| Share |
#1 Wed 23 Aug, 2006 20:55 |
|
 |
Thanks for the useful Topic Bicet:
ThE KuKa (23 August), buldo (23 August), Kangura (24 August), Miguel (24 August), dinoyoco (24 August), zankyw (27 August) |
Sponsors
|
Icy Phoenix is an open source project, you can show your appreciation and support future development by donating to the project.
|
| |
zankyw
Joined: August 2006
Posts: 42
Location: 
|
Re: Security Hole And PhpGlobals
 Thanks for the info Bicet!
I've checked it, and fortunately, I've it set to off 
|
| Share |
#2 Wed 23 Aug, 2006 22:10 |
|
buldo
Joined: August 2006
Posts: 474
Location:  Borgo San Michele
|
Re: Security Hole And PhpGlobals
If you have Register Global set to ON, there's a possible vulnerability to the Nivisec Hacks List, that could lead to the inclusion of external files:
PLEASE DELETE
/adm/admin_hacks_list.php
We will solve the security whoops ASAP.
In the meantime the deletion is the only solution.
Did you know if this vulnerability is in older XS too?
Thanks,
____________ ~~~ Andrea ~~~
User #379756 on Linux Counter
"If you can't apt-get something, it isn't useful or doesn't exist!!"
|
| Share |
#3 Wed 23 Aug, 2006 22:36 |
|
Tom
Joined: August 2006
Posts: 230
Location:  Dresden
|
Re: Security Hole and PhpGlobals
Did you know if this vulnerability is in older XS too?
Thanks,
This is very likely, because that file hasn't changed in quite a while.
____________ No support via PM or E-Mail!
FAP 3, yeah baby, yeah! 
|
| Share |
#4 Wed 23 Aug, 2006 22:53 |
|
Antonio Mercurio
Joined: August 2006
Posts: 59
Location: 
|
Re: Security Hole And PhpGlobals
I've told you some mounths ago!
http://www.phpbbplus.it/phpbbplus/x...5709.html#15709
Search
- $phpbb_root_path = '../';
- if( !empty($setmodules) )
- {
- include($phpbb_root_path . 'language/lang_' . $board_config['default_lang'] . '/lang_admin_hacks_list.' . $phpEx);
- $filename = basename(__FILE__);
- $module['Info']['Hacks_List'] = $filename;
-
- return;
- }
-
- include($phpbb_root_path . 'extension.inc');
- (file_exists('pagestart.' . $phpEx)) ? include('pagestart.' . $phpEx) : include('pagestart.inc');
-
replache with
- if( !empty($setmodules) )
- {
- $filename = basename(__FILE__);
- $module['General']['Hacks_List'] = $filename;
-
- return;
- }
-
- $phpbb_root_path = './../';
- require($phpbb_root_path . 'extension.inc');
- require('./pagestart.' . $phpEx);
-
Also
http://www.phpbbplus.it/phpbbplus/p...5693.html#15693
____________
[img]http://www.mediomondo.it/appoggio/yuqlogo.jpg[/img]
|
| Share |
#5 Wed 23 Aug, 2006 23:27 |
|
Cristina 
Joined: August 2006
Posts: 43
Location: BDL (Milan)
|
Re: Security Hole And PhpGlobals
Thank you Bicet, i'm going to delete the file---->/adm/admin_hacks_list.php
from my site
____________
Non c'era la legge sul pericolo...
|
| Share |
#6 Thu 24 Aug, 2006 09:42 |
|
Bicet
Joined: August 2006
Posts: 78
Location: Venice
|
Re: Security Hole and PhpGlobals
I've told you some mounths ago!
http://www.phpbbplus.it/phpbbplus/x...5709.html#15709
Search
- $phpbb_root_path = '../';
- if( !empty($setmodules) )
- {
- include($phpbb_root_path . 'language/lang_' . $board_config['default_lang'] . '/lang_admin_hacks_list.' . $phpEx);
- $filename = basename(__FILE__);
- $module['Info']['Hacks_List'] = $filename;
-
- return;
- }
-
- include($phpbb_root_path . 'extension.inc');
- (file_exists('pagestart.' . $phpEx)) ? include('pagestart.' . $phpEx) : include('pagestart.inc');
-
replache with
- if( !empty($setmodules) )
- {
- $filename = basename(__FILE__);
- $module['General']['Hacks_List'] = $filename;
-
- return;
- }
-
- $phpbb_root_path = './../';
- require($phpbb_root_path . 'extension.inc');
- require('./pagestart.' . $phpEx);
-
Also
http://www.phpbbplus.it/phpbbplus/p...5693.html#15693
PLEASE APPLY THIS PATCH!
|
| Share |
#7 Thu 24 Aug, 2006 10:56 |
|
Cristina
Joined: August 2006
Posts: 43
Location: BDL (Milan)
|
Re: Security Hole And PhpGlobals
ok done!
thanks to A. Mercurio
____________
Non c'era la legge sul pericolo...
|
| Share |
#8 Thu 24 Aug, 2006 11:22 |
|
Bicet
Joined: August 2006
Posts: 78
Location: Venice
|
Re: Security Hole and PhpGlobals
Here's the premodified file 
As always you'll need to replace all files
|
| Description: |
|
Download |
| Filename: |
adm.zip |
| Filesize: |
3.57 KB |
| Downloaded: |
166 Time(s) |
|
| Share |
#9 Thu 24 Aug, 2006 12:39 |
|
Mighty Gorgon
Luca Libralato
Joined: August 2006
Posts: 6814
Location: Borgo San Michele
|
Re: Security Hole And PhpGlobals
I'm trying another way to force register_globals to OFF... we will see if it works. 
____________ Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON
|
| Share |
#10 Sun 27 Aug, 2006 03:34 |
|
Dalcielo
Joined: August 2006
Posts: 1
|
Re: Security Hole And PhpGlobals
I have this:
if( !empty($setmodules) )
{
$filename = basename(__FILE__);
$module['General']['Hacks_List'] = $filename;
return;
}
$phpbb_root_path = './../';
require($phpbb_root_path . 'extension.inc');
require('./pagestart.' . $phpEx);
if (!$userdata['user_level'] == ADMIN)
{
message_die(GENERAL_ERROR, 'Not Authorized');
}
Is the same?
|
| Share |
#11 Sun 27 Aug, 2006 12:24 |
|
|
|
Page 1 of 1
|
 Was this topic useful?
 Was this topic useful?
| Link this topic |
|---|
| URL |
|
| BBCode |
|
| HTML |
|
Similar Topics
Similar Topics
You cannot post new topics
You cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You can download files
You cannot post calendar events
|
|
|
|
