'god' link generated in Topics admin maintence section.

Posted: Wed Oct 19, 2005 10:40 pm

Hi,

Firstly I'm not sure of the correct section to post this in. I download your (Raven) 7.6 &3.1 distribtuion pack and have installed a base site. (Thank you for a nice clean distro).

I tried a search but couldn't find a post on this issue.

In the Topic admin maintaince you have the option to add relivant links, but there seems to be an issue with the code in that it names all links your add god and if you update with no links it adds a blank 'god' link with the URL http:///

This is an unmodified install of the 7.6 & 3.1 download avialable on this site. Any help or fix would be appreciated.

Thx in advance.
Rumbaar

PS: You might note an access to your admin login from this IP, I had forgotten my password and registered e-mail address to this account and accidently used that login (as it's at the top).

Posted: Thu Oct 20, 2005 3:33 am

<moved to phpnuke 7.6 forum>
A link to the directory where you have installed nuke might be helpful?

Posted: Thu Oct 20, 2005 5:58 am

Yes it seems to be a common (security patched) 7.6 issue then.

Well as it's an admin function having a link to where I've installed it wouldn't help, but thx anyways Guardian2003

But I think I've found the source of the issue and possible fix. I'm surprise no-one else had not encounted this before. I was stumped for a long time as I check the various PHP code through and through, didn't think it was at the admin check level.

The index.php for Topics admin makes use of the variable $name in the call to the admins list, but it also calls this $name variable as the field name for related SITENAME.

So when it's sending the UPDATE query to the DB it's overiding the $name with the current admins aid.

This is the code as it was:

Code:

global $prefix, $db, $admin_file;


$aid = substr($aid, 0,25);


$query = $db->sql_query("SELECT title, admins FROM ".$prefix."_modules WHERE title='Topics'");


list($title, $admins) = $db->sql_fetchrow($query);


$query = $db->sql_query("SELECT name, radminsuper FROM ".$prefix."_authors WHERE aid='$aid'");


list($name, $radminsuper) = $db->sql_fetchrow($query);


$admins = explode(",", $admins);


$auth_user = 0;


for ($i=0; $i < sizeof($admins); $i++) {


    if ($name == $admins[$i] AND !empty($admins)) {


        $auth_user = 1;   


    }


}





if ($radminsuper == 1 || $auth_user == 1) {

and here is the change I made to make it function correctly, as you can see it doesn't make a call to the $name variable. I've tested and am now able to create related links that don't record the admin's aid as their display name:

Code:

global $prefix, $db, $admin_file;


$aid = substr("$aid", 0,25);


$row = $db->sql_fetchrow($db->sql_query("SELECT title, admins FROM ".$prefix."_modules WHERE title='Topics'"));


$row2 = $db->sql_fetchrow($db->sql_query("SELECT name, radminsuper FROM ".$prefix."_authors WHERE aid='$aid'"));


$admins = explode(",", $row['admins']);


$auth_user = 0;


for ($i=0; $i < sizeof($admins); $i++) {


    if ($row2['name'] == "$admins[$i]" AND !empty($row['admins'])) {


        $auth_user = 1;   


    }


}





if ($row2['radminsuper'] == 1 || $auth_user == 1) {

Hope this helps others.

Posted: Thu Oct 20, 2005 6:13 am

Thanks for the update and glad you now have it working.
My thoughts regarding the link request was to view the source code for the articles page (not admin page) so I could see where in the url it was adding'god'.
I have not heard of this particular problem before, so thank you for sharing the fix with others.

Posted: Thu Oct 20, 2005 5:23 pm

Yeah strange others haven't encounted it before, as it was a 'default' installation of the php-nuke 7.6 from this site.

Anyway's share the wealth/knowledge I say.

My only concern, as I'm not fully 100% with php and various codes but the original code makes reference to $title/$name and those are missing from the code I've used. It doesn't seem to affect the function of Topics module, but are they needed or just left over from copy and paste from previous coding.

Worker Joined: Dec 23, 2005 Posts: 226 Location: UK

I have the same problem but my topics\index.php is from nsn news 2.0.0 with the following code

Code:

require_once("mainfile.php");


list($main_module) = $db->sql_fetchrow($db->sql_query("SELECT main_module FROM ".$prefix."_main"));


if($main_module == "News") {


  header("Location: index.php?op=NETopicMain");


} else {


  header("Location: modules.php?name=News&op=NETopicMain");


}





?>

Posted: Thu Dec 29, 2005 11:41 am

Ooops, I found the same problem after install and deleted the related links to god in the database because I thought possible that was created through my GT Next Gen tests or my crash.

Posted: Thu Jan 05, 2006 12:57 pm

Using phpNuke v7.6pl3.1 with PHPBB v2.0.18 and NukeSentinel(tm) v2.4.2
with NSN_News_200rc2_70-79

I'm still not able to remove this problem.
If I delete the link in topics it comes back next time I look.
The closest code I could find to the above is in NETopicIndex.php but I don't know enough to try changing it.

Code:

global $prefix, $db, $admin_file;


if(!$admin_file OR $admin_file == "") { $admin_file = "admin"; }


if(!defined('ADMIN_FILE')) { die("Illegal File Access Detected!!"); }


$modname = basename(str_replace("/admin", "", dirname(__FILE__)));


define('NSNNE_ADMIN', true);


define('INDEX_FILE', true);


$index=1;


$aid = substr("$aid", 0,25);


$row = $db->sql_fetchrow($db->sql_query("SELECT title, admins FROM ".$prefix."_modules WHERE title='$modname'"));


$row2 = $db->sql_fetchrow($db->sql_query("SELECT name, radminsuper FROM ".$prefix."_authors WHERE aid='$aid'"));


$admins = explode(",", $row['admins']);


$auth_user = 0;


$radminarticle = 0;


for($i=0; $i < sizeof($admins); $i++) { if($row2['name'] == $admins[$i] AND $row['admins'] != "") { $auth_user = 1; } }


if($auth_user == 1) { $radminarticle = 1; }


if($row2['radminsuper'] == 1) { $radminsuper = 1; }


if($radminsuper == 1 || $radminarticle == 1) {


  get_lang($modname);


  include_once("includes/nsnne_func.php");


  $ne_config = ne_get_configs();


  $perpage = 100;


  switch($op) {

I have deleted from the db

1 match(es) inside table nuke_related

I'll let you know if it comes back

Posted: Tue Feb 28, 2006 12:21 pm

Thank you. This solved my issue with this little "un-documented" feature. Wink

Great work!

Worker Joined: Apr 30, 2005 Posts: 170

I changed the code, and the "God" link is still there http://www.ayrshs.eq.edu.au/modules.php?name=News&file=article&sid=3&mode=&order=0&thold=0

How do I make it go away?

Posted: Fri Mar 31, 2006 5:28 am

It seems there are some old articles posted by 'God'?

Posted: Fri Mar 31, 2006 6:18 pm

Any suggestions for how I can get rid of it?

Posted: Fri Mar 31, 2006 6:53 pm

Did you cleared the table nuke_related ?

Posted: Fri Mar 31, 2006 9:23 pm

Clearing the table did it.. All very strange. Was it still necessary for me to change the admin index for topics?

Just curious

Posted: Sat Apr 01, 2006 4:36 am

It is just a bug. Without changes in the admin index.php code you ll get next time again a god link.

registered · Posted: Sat Apr 01, 2006 2:41 pm

By the way, I believe this is fixed in the 3.2 patches. The new upcoming patch to RavenNuke76 (2.02.02) has it too.

Regular Joined: Apr 23, 2005 Posts: 95

Hi I changed the codes already cause I have the same problem
Its still there, in the previous posts, it says, to clear the table in Nuke_related?

what do I do there? do I delete them?

rid int(11)
tid int(11)
name varchar(30)
url varchar(200)

PRIMARY PRIMARY 3
rid INDEX 3
tid INDEX 1

these are in the nuke_related.

Thanks!

Posted: Wed Jun 14, 2006 10:53 am

Well, I said clear but what I really meant was delete the row in nuke_related with that wrong God link. It´s very easy. If you are not sure make a little backup from this table nuke_related. So you can restore your table Smile

Posted: Wed Jun 14, 2006 11:21 am

thanks for clearing that out, its working now

cheers!