lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 04 May 2004 18:47:50 +0200
From: Luca Falavigna <fala83@...ero.it>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: PHPNuke admin.php protection code


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I created this piece of code to enforce the security of admin section in
PHPNuke web portals and I realized it works well: just put it in
admin.php above require_once("mainfile.php"); and only logged in users
who are in authors table can access the page, the others will be
redirected to index.php.

The code:

$grant_access = FALSE;
cookiedecode($user);
$sql = $db->sql_query("SELECT aid FROM ".$prefix."_authors");
while($record = $db->sql_fetchrow($sql)) {
~  if($cookie[1]==$record[aid])
~    $grant_access = TRUE;
}
if(!$grant_access) {
~  Header("Location: index.php");
~  die();
}
unset($cookie);
unset($result);
unset($sql);
unset($grant_access);

If this trick doesn't work properly, please contact me at fala83@...ero.it.

			Luca Falavigna

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBQJfJL/TtdJayrm9xAQJCxAf+Nto0pa4qlzU8OXnY9EgnbnzFsQDLl9Pj
EwFAayhy0szOfOGR3VMLn57UAPIuEJt0jflohcwu0TENH0Qdth3Oye7VmMeaBG6X
cdt20+F93IAdnjrAMlP71su+vVT3Rg48AxGZ/oHg3nBTbJ+SeSL9KOHuwoDybIyN
DXU/pTvDOivAq1lqlVVc80E3ze8McAHPmgre3jF+QQ35qDqxC0msbmpWEpJsLW70
9CVqZ+3G9QYOAu7LZc4EWWM1xrTvuHkV5B8bcZH9jHHF0TseluLdIo+Bh6AYdsJ/
KgdI50TgQTm1InzoDcFeH5y8O+bB2dfveKoRst3PivnaprTNNSWNAA==
=Cnop
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists