| Author |
Message |
stephen2417
Worker
Joined: Jan 18, 2004
Posts: 244
Location: Bristolville, OH
|
 Posted:
Fri Jun 04, 2004 5:32 pm |
|
|
 
|
|
chatserv
Member Emeritus
Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico
|
| Posted:
Fri Jun 04, 2004 5:55 pm |
|
You can tell school's out huh? try the Exploitation Example on your site and let me know if you get anything other than a 403 page. |
| |
|
|
|
|
stephen2417
|
| Posted:
Fri Jun 04, 2004 6:00 pm |
|
Yeppers.. Ive been out for about two weeks now.. But becides the point. Your the man, its 403 all the way.  |
| |
|
|
|
|
Tank863
New Member
Joined: May 29, 2003
Posts: 16
|
| Posted:
Sat Jun 05, 2004 10:12 am |
|
Chat...
Try this as a proof of concept.
http://www.example.com/modules/News/categories.php/modules.php
I was trying what 'they' suggested and all I got was the 403 page...
I tried the above and bamm..
Code:
Warning: main(mainfile.php): failed to open stream: No such file or
directory in /usr/local/apache/htdocs/xxxx/modules/News/categories.php on line 19
Fatal error: main(): Failed opening required 'mainfile.php' (include_path='./:/usr/local/lib/php:/usr/lib/php:/usr/bin/:/usr/
share/pear') in /usr/local/apache/htdocs/xxxx/modules/News/categories.php
on line 19
|
|
| |
|
|
|
|
Tank863
|
| Posted:
Sat Jun 05, 2004 10:29 am |
|
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2496
|
| Posted:
Sat Jun 05, 2004 10:41 am |
|
Since literally every file is potentially effected I'd say this is one for FB to address with a release of a new version.
But that aside the actual vulnerability still can only be exploited by people who live on your server and then only if its poorly configured. The path disclosure part is valid to the world but is minor overall in and of itself. |
| |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Sat Jun 05, 2004 10:46 am |
|
The topic or post you requested does not exist |
| |
|
|
|
|
sixonetonoffun
|
| Posted:
Sat Jun 05, 2004 10:51 am |
|
I guess my point was this isn't much different then someone accessing ect/passwd which can also be done easily on a shared server not in safe_mode. |
| |
|
|
|
|
Raven
|
| Posted:
Sat Jun 05, 2004 11:07 am |
|
|
|
|
|
sixonetonoffun
|
| Posted:
Sat Jun 05, 2004 11:16 am |
|
I'm not trying to discount the issue. I just think that since to patch this it will require every file to be modified a new release is the best way to address the problem. But maybe an "Official PHPNuke" development site can address this issue for us all. |
| |
|
|
|
|
Tank863
|
| Posted:
Sat Jun 05, 2004 11:21 am |
|
|
|
|
|
Raven
|
| Posted:
Sat Jun 05, 2004 11:32 am |
|
Try adding this line to your .htaccess file
php_flag display_errors off
You should get a blank screen. I can write an error_handler at the PHP level to throw up another screen. |
Last edited by Raven on Sat Jun 05, 2004 11:46 am; edited 1 time in total |
|
|
|
|
Tank863
|
| Posted:
Sat Jun 05, 2004 11:41 am |
|
Raven.. that worked.. it did give me the blank screen...
|
| |
|
|
|
|
Raven
|
| Posted:
Sat Jun 05, 2004 11:43 am |
|
There are actually several ways to corral this path disclosure issue. It is not nuke constrained/unique, although we all know we can depend on FB to provide fertile ground to play in  Anyway, I'm going to work on this this weekend and see what I can come up with. |
| |
|
|
|
|
Raven
|
| Posted:
Sat Jun 05, 2004 11:45 am |
|
| Tank863 wrote: | Raven.. that worked.. it did give me the blank screen...
|
I modified my other post to use php_flag instead of php_value - just a tweak for speed. Keep in mind that ALL errors will get a blank screen until the error handler is provided. |
Last edited by Raven on Sat Jun 05, 2004 12:00 pm; edited 1 time in total |
|
|
|
|
Tank863
|
| Posted:
Sat Jun 05, 2004 11:49 am |
|
Yes.. that one does make a slight difference in speed.. |
| |
|
|
|
|
Raven
|
| Posted:
Sat Jun 05, 2004 12:11 pm |
|
Keep in mind that if you use solely a php script solution, like ini_set(), you would need to place that on every page, whether through an include or actually on each page. That is where .htaccess obviously has an advantage. But for those that do not use Apache, then you will need to either do it at a server level pnp.ini level or at the php script level. |
| |
|
|
|
|
Raven
|
| Posted:
Sat Jun 05, 2004 12:44 pm |
|
Also, (sorry for all the addendums) just adding code to mainfile.php will work in many of the cases but there is no "rule" that mainfile.php must be called in addons. It's a convenience, not a requirement. And more importantly, this particular exploit (root path disclosure) is solely to display the root path, it is not to conform to nuke "rules" of coding. That's why a fix has to be at a higher level and cannot be not nuke specific. |
| |
|
|
|
|
foxyfemfem
New Member
Joined: Dec 07, 2003
Posts: 22
Location: USA
|
| Posted:
Sat Jun 05, 2004 1:17 pm |
|
| Raven wrote: | | That's why a fix has to be at a higher level and cannot be not nuke specific. |
I assume you're referring to a php stand alone fix.. right? I use several php programs throughout my site in sub domains, therefore I added your .htaccess fix to all of my sub domains. Thanks! |
| |
|
|
|
|
Brujo
Regular
Joined: Jun 04, 2004
Posts: 84
Location: Germany
|
| Posted:
Sat Jun 05, 2004 2:23 pm |
|
| Raven wrote: | Try adding this line to your .htaccess file
php_flag display_errors off
You should get a blank screen. I can write an error_handler at the PHP level to throw up another screen. |
if i put it in my .htaccess i got an Internal Server Error, is there another way to do it ?
with bet regards
Brujo |
| |
|
|
|
|
Raven
|
| Posted:
Sat Jun 05, 2004 3:25 pm |
|
| Brujo wrote: | | Raven wrote: | Try adding this line to your .htaccess file
php_flag display_errors off
You should get a blank screen. I can write an error_handler at the PHP level to throw up another screen. |
if i put it in my .htaccess i got an Internal Server Error, is there another way to do it ?
with bet regards
Brujo |
Are you allowed to use .htaccess at your site? If so, then your host has restricted what php settings you can change. Try php_value instead of php_flag. If that still does not work, contact your host and ask them to allow the changing of display_errors via .htacess. |
| |
|
|
|
|
Raven
|
| Posted:
Sat Jun 05, 2004 3:28 pm |
|
| foxyfemfem wrote: | | Raven wrote: | | That's why a fix has to be at a higher level and cannot be not nuke specific. |
I assume you're referring to a php stand alone fix.. right? I use several php programs throughout my site in sub domains, therefore I added your .htaccess fix to all of my sub domains. Thanks! |
Correct. Actually, if you just place it in your root document .htaccess it should flow throiugh to all subdomains, but it might be easier to have a separate .htaccess in each subdomain for convenience and organization. Better safe than sorry  |
| |
|
|
|
|
Brujo
|
| Posted:
Sat Jun 05, 2004 3:32 pm |
|
| Raven wrote: | | Are you allowed to use .htaccess at your site? If so, then your host has restricted what php settings you can change. Try php_value instead of php_flag. If that still does not work, contact your host and ask them to allow the changing of display_errors via .htacess. |
Yes htaccess is allowed for me and it seems you are right that it is not allowed to change the php settings, so i opend a Ticket at my hoster.
thanks for your quick responce
with bet regards
Brujo |
| |
|
|
|
|
Raven
|
| Posted:
Mon Jun 07, 2004 9:58 am |
|
See this thread for a possible fix for .htaccess users
[Edited by Raven. I have enough tests and feedback to see if this is worth it. Thanks!] |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
