Indirect Roster/Nuke Security Issue

by **Astina** » Sun Jul 23, 2006 8:22 pm

I was really wondering about this last night when I was visiting a few sites to look at how things worked and all. When I got to them and clicked on the Roster link it was displaying the admin login information on the right, like all the admin blocks and things like that, enough that I knew which pages admin functions were located on. This is not a big secret with nuke but it does put temptation at the fingertips of people who might otherwise not medel. Thus, a fairly serious matter in my book (out of sight out of mind right?).

<the beef>

So, I finally figured out what the scoop is -- (and this relates to another thread on this forum about commenting out header.php and mainfile.php) -- when you allow Roster to generate your config file it "COPIES" your page layout into the config file. I like fricken just sucks it down and into it so you can't really tell the difference. "THIS IS BAD" since you have to be the admin to actually install this module in the first place, thus it sucks down your admin layout of the page and makes everyone think they're logged in as the admin and they're like wtf.

<the fix>

DO NOT COMMENT OUT YOUR header.php OR mainfile.php REFERENCES! These are there for a reason (as I suspected). Instead, open your conf.php and remove "EVERYTHING" except for the following section of code:

Code: Select all: <?php /****************************** * AUTO-GENERATED CONF FILE * DO NOT EDIT !!! ******************************/ $db_host = "server"; $db_name = "database"; $db_user = "databaseuser"; $db_passwd = "databasepassword"; $db_prefix = "roster_"; $module_name = basename(dirname(__FILE__)); $roster_dir = "modules/" . $module_name; define('ROSTER_INSTALLED', true); ?>

That's all folks, should work like a charm after this. Though sadly, it still does not solve the damn web-based guildprofile upload issue.... =\

Cheers!

by **Rahtak** » Sun Jul 23, 2006 11:57 pm

i'm not sure what problem your talkuing about with the webbase guild profile upload it work fine for me.

and abotu the conf.php, by default it's exacly whats created when i install my roster i'm not quite sure what your refering too as the possible security issue

by **Astina** » Mon Jul 24, 2006 12:32 am

My original config (upon install) contained this....and I also saw it on someone else's site.... like this....I'll even see about getting a screenshot in a min or two and posting it

<SNIP>

Code: Select all: <META NAME="ROBOTS" CONTENT="INDEX, FOLLOW"> <META NAME="REVISIT-AFTER" CONTENT="1 DAYS"> <META NAME="RATING" CONTENT="GENERAL"> <META NAME="GENERATOR" CONTENT="PHP-Nuke Copyright (c) 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL (http://phpnuke.org/files/gpl.txt). PHP-Nuke comes with absolutely no warranty, for details, see the license (http://phpnuke.org/files/gpl.txt). Powered by PHP-Nuke Platinum (http://www.techgfx.com)"> <script language="Javascript" type="text/javascript">  </script> <link rel="alternate" type="application/rss+xml" title="RSS" href="backend.php"> <style type="text/css"> .menuskin{ position:absolute; background-color:#333333; border:1px solid black;

</SNIP>

by **Astina** » Mon Jul 24, 2006 12:43 am

Screenshot, this is what it shows....Important note, keep in mind I "AM" logged out at this point, but it 'shows' that I'm not.

by **Astina** » Mon Jul 24, 2006 12:44 am

in order to even get it to show up this way you have to comment out the includes I mentioned before (like someone asked about in another thread). If not, it shows up window in window type of situation.

by **komsite** » Mon Jul 24, 2006 3:56 pm

My site was the same, deleting the code fixed everything