[FIX] Security hole

  • 8 Replies
  • 13530 Views
*

Offline Lupin

  • *****
  • 10,985
  • +0/-0
    • http://www.btiteam.org
[FIX] Security hole
« on: October 09, 2006, 09:13:40 am »
A security hole has been found by an user: http://www.btiteam.org/smf/index.php?topic=5688.0 and diffused, this is the way you can fix it

open include/prune_torrents.php and include/prune_users.php at the top if the file replace
Code: [Select]
<?

$action=(isset($_GET["action"])?$_GET["action"]:"");

with

Code: [Select]
<?
global $CURUSER; 
if (!$CURUSER || $CURUSER["admin_access"]!="yes")
   {
       standardheader('Acces Denied');
       err_msg(ERROR);
       die();
   }

$action=(isset($_GET["action"])?$_GET["action"]:"");

prune_users.php should be affected, but it's better if you put control before doing anything.
Please don't PM me about question already asked in forum!

Help or support requested using PM will be billed 50 euros/hour, minimum 1 hour; support on forum is free.

*

Big Digger

Re: [FIX] Security hole
« Reply #1 on: October 09, 2006, 10:25:56 am »
standardheader() and err_msg() don't works without include functions.php
missing argument 2 for err_msg()

replace code with:
Code: [Select]
<?
global $CURUSER; 
if (!$CURUSER || $CURUSER["admin_access"]!="yes")
   {
       require_once(dirname(__FILE__)."/functions.php");
       err_msg("Error!","Access Denied");
       die();
   }

$action=(isset($_GET["action"])?$_GET["action"]:"");

*

Neovaki

Re: [FIX] Security hole
« Reply #2 on: October 09, 2006, 03:07:35 pm »
Thank!!!!

*

gAnDo

Re: [FIX] Security hole
« Reply #3 on: October 09, 2006, 09:56:03 pm »
I found I was getting ob_gzhandler errors.
The code below fixes it.

Code: [Select]
<?
global $CURUSER;
if (!$CURUSER || $CURUSER["admin_access"]!="yes")
    {
        err_msg(ERROR, ERR_NOT_AUTH);
        stdfoot();
        exit;
   }

$action=(isset($_GET["action"])?$_GET["action"]:"");

*

Emiros

Re: [FIX] Security hole
« Reply #4 on: October 10, 2006, 09:46:33 am »
hi

so any code will use from those 3 posts please

Lupin, gAnDo or Big Digger code ???

anyone will use it to fix that please

Thanks

*

gAnDo

Re: [FIX] Security hole
« Reply #5 on: October 10, 2006, 01:23:57 pm »
It is the line
Code: [Select]
if (!$CURUSER || $CURUSER["admin_access"]!="yes")
that stops the exploit and all of them have this line so use whatever one works for you.

*

MarbolanGos

Re: [FIX] Security hole
« Reply #6 on: October 10, 2006, 06:14:47 pm »
Thanks for this patch.

The solution from Lupin worked ;D

As usual I love having a mail for security reason :-*

*

Offline Lupin

  • *****
  • 10,985
  • +0/-0
    • http://www.btiteam.org
Re: [FIX] Security hole
« Reply #7 on: October 11, 2006, 09:11:50 am »
Sorry, here it's better fix:

open admincp.php around line 16, replace
Code: [Select]
else
    {
    //
    // Read a listing of uploaded category images for use in the edit menu link code...
    //

with
Code: [Select]
else
    {
    define("IN_ACP",true);
    //
    // Read a listing of uploaded category images for use in the edit menu link code...
    //

then open prune_torrents.php and prune_users.php and at the very top replace
Code: [Select]
<?
with
Code: [Select]
<?
if (!defined("IN_ACP"))
    die("No direct access!");
« Last Edit: October 11, 2006, 09:37:30 am by gAnDo »
Please don't PM me about question already asked in forum!

Help or support requested using PM will be billed 50 euros/hour, minimum 1 hour; support on forum is free.

*

miskotes

Re: [FIX] Security hole
« Reply #8 on: October 17, 2006, 11:54:41 pm »
Sorry, here it's better fix:

open admincp.php around line 16, replace
Code: [Select]
else
    {
    //
    // Read a listing of uploaded category images for use in the edit menu link code...
    //

with
Code: [Select]
else
    {
    define("IN_ACP",true);
    //
    // Read a listing of uploaded category images for use in the edit menu link code...
    //

then open prune_torrents.php and prune_users.php and at the very top replace
Code: [Select]
<?
with
Code: [Select]
<?
if (!defined("IN_ACP"))
    die("No direct access!");

Well that's fine maybe for others, but I personally think if prune_torrents.php option:
Code: [Select]
if (!$CURUSER || $CURUSER["delete_torrents"]!="yes")
And if prune_users:
Code: [Select]
if (!$CURUSER || $CURUSER["delete_users"]!="yes")
That way it is not AdminCP dependant and does the job...

 


Powered by EzPortal