Admin Exploit - XSS Type
Date: Monday, March 22 @ 16:29:14 CET Topic: Security
BEWARE. There is a new cross site browser scripting exploit where authentic PHP-Nuke admins may inadvertantly create new authors, remove authors, and basically do any admin.php functions without their knowledge!
I created a quick patch to watch over this activity. In your admin.php, find my previous admin.php patch:
if (preg_match("/?admin/", "$checkurl")) {
echo "die";
exit;
}
Add this before it:
//Security XSS Prevention by Zhen-Xjell 22 Mar 2004 NukeCops.com Copyright All Rights Reserved
$refer = $_SERVER['HTTP_REFERER'];
$argv = $_SERVER['argv'];
if ($argv[0] != "") {
if (!preg_match("/admin.php/", "$refer")) {
echo "<BR>$refer<BR>die";
exit;
}
}
And after it add this:
// Addition by Zhen-Xjell NukeCops.com Mar 22 2004 Copyright All Rights Reserved
if (preg_match("/AddAuthor/", "$checkurl")) {
echo "die";
exit;
}
if (preg_match("/UpdateAuthor/", "$checkurl")) {
echo "die";
exit;
}
|
|