| Author |
Message |
lukamar
New Member
Joined: Jul 21, 2005
Posts: 14
|
 Posted:
Sat Dec 09, 2006 11:19 am |
|
I have a guy using many different spoof IP's trying to modify a single weblink. I would ike to redirect him with htaccess to somewhere.
This is the code he uses, with my site info removed..
/subdomain/Mainsite.com/directory/modules.php?name=Web_Links&l_op=modifylinkrequest&lid=17
I have put the weblinks in the registered user section and he can't pass the code to there without registering but I would like the weblinks section visible to the general public.
Or.. and probably the best solution, would be to modify the weblink code so that only the Admin can modify it's links. But I have no idea how to do it.
Any Ideas would be very helpfull. |
| |
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Sat Dec 09, 2006 11:51 am |
|
Is there any settings in the weblinks modules l_config.php file that might help? |
| |
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Sat Dec 09, 2006 12:34 pm |
|
The same is in the downloads module. Its called d_config.
Block unregistered users from suggesting downloads changes? (1=Yes 0=No)
However, in older versions or non patched versions the $blockunregmodify = 1; doesn´t work. |
| |
|
|
|
|
lukamar
|
| Posted:
Sat Dec 09, 2006 5:25 pm |
|
| Susann wrote: | The same is in the downloads module. Its called d_config.
Block unregistered users from suggesting downloads changes? (1=Yes 0=No)
However, in older versions or non patched versions the $blockunregmodify = 1; doesn´t work. |
Thanks guys and gals.
I'm running the the latest version of PHPNuke 8 so it should be the newest version of Weblinks as well. I noticed the link modify request in my iP_tracking module and have not actually had the weblinks open to the general public.
I did check the config settings so maybe I'll put it live and see what happens.
Thanks again
 |
| |
|
|
|
|
Guardian2003
|
| Posted:
Sat Dec 09, 2006 5:38 pm |
|
Yikes the newest and worst version, you are a brave person! |
| |
|
|
|
|
lukamar
|
| Posted:
Sat Dec 09, 2006 6:20 pm |
|
| Guardian2003 wrote: | | Yikes the newest and worst version, you are a brave person! |
So I've been finding out...LOL  |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Sun Dec 10, 2006 10:30 am |
|
| Quote: |
so it should be the newest version of Weblinks as well
|
You are assuming that FB touches his older modules over time... He doesn't even include the latest patches in his work, so there is a good chance all the usual bugs are still there... 
I have just recently also found that there is a bug in Web Links and probably Downloads which still allows the submittal of links even when you are anonymous and the allow flag is set to NOT allow this to happen... been fixed in the upcoming RavenNuke release... just need to check for other possible such "holes". |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6437
|
| Posted:
Mon Dec 11, 2006 11:53 am |
|
Scary... but unfortunately not surprising. We should probably post the fix in a forum in case people can't move to RN 2.10 for any reason. |
_________________
I search, therefore I exist...
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
montego
|
| Posted:
Wed Dec 13, 2006 2:40 pm |
|
Sorry... entire household has been under-the-weather lately. Haven't been on the boards in too long. The easiest fix is to replace the Add function as such:
=== OPEN FILE ===
modules/Web_Links/index.php
=== REPLACE ENTIRE FUNCTION ===
function Add($title, $url, $auth_name, $cat, $description, $email) {
...
}
=== REPLACE WITH ====
Code:
function Add($title, $url, $auth_name, $cat, $description, $email) {
global $prefix, $db, $user, $links_anonaddlinklock;
if (is_user($user) || $links_anonaddlinklock == 1) { //RN0000530 - Disable anonymous exploits!
$result = $db->sql_query("SELECT url from ".$prefix."_links_links where url='$url'");
$numrows = $db->sql_numrows($result);
if ($numrows>0) {
include_once("header.php");
menu(1);
echo "<br />";
OpenTable();
echo "<center><b>"._LINKALREADYEXT."</b><br /><br />"
.""._GOBACK."";
CloseTable();
include_once("footer.php");
} else {
if(is_user($user)) {
$user2 = base64_decode($user);
$user2 = addslashes($user2);
$cookie = explode(":", $user2);
cookiedecode($user);
$submitter = $cookie[1];
}
// Check if Title exist
if (empty($title)) {
include_once("header.php");
menu(1);
echo "<br />";
OpenTable();
echo "<center><b>"._LINKNOTITLE."</b><br /><br />"
.""._GOBACK."";
CloseTable();
include_once("footer.php");
}
// Check if URL exist
if (empty($url)) {
include_once("header.php");
menu(1);
echo "<br />";
OpenTable();
echo "<center><b>"._LINKNOURL."</b><br /><br />"
.""._GOBACK."";
CloseTable();
include_once("footer.php");
}
// Check if Description exist
if (empty($description)) {
include_once("header.php");
menu(1);
echo "<br />";
OpenTable();
echo "<center><b>"._LINKNODESC."</b><br /><br />"
.""._GOBACK."";
CloseTable();
include_once("footer.php");
}
$cat = explode("-", $cat);
if (empty($cat[1])) {
$cat[1] = 0;
}
$title = stripslashes(check_html(FixQuotes($title, "nohtml")));
$url = stripslashes(check_html($url, "nohtml"));
$description = stripslashes(check_html(FixQuotes($description), "html"));
$auth_name = stripslashes(check_html($auth_name, "nohtml"));
if (!empty($email)) {
if (($email = validate_mail(stripslashes(check_html($email, "nohtml")))) === false) {
die();
}
}
$cat[0] = intval($cat[0]);
$cat[1] = intval($cat[1]);
$num_new = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_links_newlink WHERE title='$title' OR url='$url' OR description='$description'"));
if ($num_new == 0) {
$db->sql_query("insert into ".$prefix."_links_newlink values (NULL, '$cat[0]', '$cat[1]', '".addslashes($title)."', '".addslashes($url)."', '".addslashes($description)."', '".addslashes($auth_name)."', '".addslashes($email)."', '".addslashes($submitter)."')");
}
include_once("header.php");
menu(1);
echo "<br />";
OpenTable();
echo "<center><b>"._LINKRECEIVED."</b><br />";
if (!empty($email)) {
echo _EMAILWHENADD;
} else {
echo _CHECKFORIT;
}
CloseTable();
include_once("footer.php");
}
} else { //RN0000530 - Start of Disable anonymous exploits!
include_once('header.php');
menu(1);
echo '<br />';
OpenTable();
echo '<center>'._LINKSNOTUSER1.'<br />'
._LINKSNOTUSER2.'<br /><br />'
._LINKSNOTUSER3.'<br />'
._LINKSNOTUSER4.'<br />'
._LINKSNOTUSER5.'<br />'
._LINKSNOTUSER6.'<br />'
._LINKSNOTUSER7.'<br /><br />'
._LINKSNOTUSER8;
CloseTable();
include_once('footer.php');
} //RN0000530 - End of Disable anonymous exploits!
}
|
Regards,
montego |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
