| Author |
Message |
Argus
Client
Joined: Oct 06, 2003
Posts: 81
|
 Posted:
Wed Jan 05, 2005 4:29 am |
|
I've been fishing about trying to learn a bit about how phpnuke is exploited and I came across the problem of full path disclosure. I'm not any kind of coder and I wonder how serious a problem that is. I found an example:
http://yoursite.com/index.php?forum_admin=1
When using this on my site, it caused the server path to be shown. I have chatserv's patched 7.2 version, and when looking at fixes, the fix described could not be applied to the index.php for 7.2 as it was different to the version the exploit was actually used on.
So, back to my question, how serious is full path disclosure? What can that path be used for to create problems? (Or just tell me if its a big deal  )
Thanks much,
-Arg |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Wed Jan 05, 2005 5:05 am |
|
It can be bad if the cracker can find a way to utilize it. Add this line to your .htaccess file. This will make it a little more difficult for you when it comes to debugging as you will have to look at your error log instead of just seeing it on the screen, but you should not have display_errors on, on a production site antway. A custom error handler would be the best as you could intercept the error and print your own message. |
| |
|
|
|
|
Argus
|
| Posted:
Wed Jan 05, 2005 3:10 pm |
|
So much I don't understand... the .htaccess gets the job done. What do you mean by I shouldn't have display_errors on? Where do I find that option?
-Arg
EDIT: And thank you btw. |
| |
|
|
|
|
Raven
|
| Posted:
Wed Jan 05, 2005 3:16 pm |
|
display_errors is on by default. Just use .htaccess to turn it off.
php_flag display_errors off |
| |
|
|
|
|
Argus
|
| Posted:
Thu Jan 06, 2005 12:52 am |
|
Thanks much,
I need to clarify this: | Quote: | | Add this line to your .htaccess file |
What exactly do I need to put in there?
-Arg |
| |
|
|
|
|
VinDSL
Life Cycles Becoming CPU Cycles
Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com
|
| Posted:
Thu Jan 06, 2005 2:04 am |
|
| Argus wrote: | | So much I don't understand... |
Look, here's the deal...
Most hackers are copycats. They find a script somewhere, that might work for a week or two, before everyone gets wise and patches their sites. You can forget about these ppl. All they do is get themselves automatically banned by various security programs.
The hackers you have to worry about are the ones that come up with these things in the first place. And, what they will do, amongst other things, is purposely generate errors on your site, in order to discover absolute paths to your files. This is pretty basic hacking stuff, but should be precluded at all costs...
When you turn off reporting, this makes things MUCH more difficult for them. In the hacking world, this is called working 'in the blind.' Unless they really want to 'cap yo a ', for personal reasons, they will usually move onto happier hunting grounds. So, don't underestimate the importance of this.
As Raven said (and I would add one thing), this is what I put at the top of my '.htaccess' file:
Code:RewriteEngine on
php_flag display_errors off
php_flag register_globals off
|
These two things make it much more difficult for someone to hack your site, and I strongly suggest you do it!
I also move my 'config.php' outside the web path, but this is more or less a personal decision. Some ppl think it's worth the effort, others don't. But, at least put the lines above in your '.htaccess' file. |
_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. |
|
 |
|
Argus
|
| Posted:
Thu Jan 06, 2005 2:37 pm |
|
Thanks for the good info. Seems like having a club or alarm for your car. You cease becoming the easy target.
-Arg |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Thu Jan 06, 2005 6:39 pm |
|
VinDSL, are you saying that turning off register_globals is possible with NO changes to phpNuke code? You have this working just fine? Given the nature of coding practices with nuke over the years I would have thought there to be problems with this.
I have been hesitant to turn it off thinking that many features would start erroring out. Have others out there done this as well?
TIA,
montego |
| |
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2496
|
| Posted:
Thu Jan 06, 2005 6:58 pm |
|
Depends if you use a version with the admin_file code then globals have to be on to admin your site. |
_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 |
|
|
|
|
VinDSL
|
| Posted:
Thu Jan 06, 2005 8:13 pm |
|
| montego wrote: | | VinDSL, are you saying that turning off register_globals is possible with NO changes to phpNuke code? You have this working just fine? |
Mileage my vary, as alluded to by sixonetonoffun...
All I can tell you is I turned the 'globals' off, on my site[s], months ago and haven't had a single problem - and, I test a lot of code.
| Forrest Gump wrote: | Mama always said life was like a box a chocolates,
never know what you're gonna get... |
Give it a try. Worked for me...  |
| |
|
|
|
|
montego
|
| Posted:
Thu Jan 06, 2005 8:28 pm |
|
VinDSL,
What nuke version are you on? I am running with 7.5 at the moment.
By the way, I am in AZ too. Glad to see the sun shine for a few days again... us desert rats gotta have the sun! |
| |
|
|
|
|
VinDSL
|
| Posted:
Thu Jan 06, 2005 9:53 pm |
|
LoL! No kidding! I don't do well before 80 degrees.
And, I'm running 6.5 Final, patched and mod'ed... |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
