[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4097C936.4030707@libero.it>
Date: Tue, 04 May 2004 18:47:50 +0200
From: Luca Falavigna <fala83@...ero.it>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: PHPNuke admin.php protection code
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I created this piece of code to enforce the security of admin section in
PHPNuke web portals and I realized it works well: just put it in
admin.php above require_once("mainfile.php"); and only logged in users
who are in authors table can access the page, the others will be
redirected to index.php.
The code:
$grant_access = FALSE;
cookiedecode($user);
$sql = $db->sql_query("SELECT aid FROM ".$prefix."_authors");
while($record = $db->sql_fetchrow($sql)) {
~ if($cookie[1]==$record[aid])
~ $grant_access = TRUE;
}
if(!$grant_access) {
~ Header("Location: index.php");
~ die();
}
unset($cookie);
unset($result);
unset($sql);
unset($grant_access);
If this trick doesn't work properly, please contact me at fala83@...ero.it.
Luca Falavigna
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEVAwUBQJfJL/TtdJayrm9xAQJCxAf+Nto0pa4qlzU8OXnY9EgnbnzFsQDLl9Pj
EwFAayhy0szOfOGR3VMLn57UAPIuEJt0jflohcwu0TENH0Qdth3Oye7VmMeaBG6X
cdt20+F93IAdnjrAMlP71su+vVT3Rg48AxGZ/oHg3nBTbJ+SeSL9KOHuwoDybIyN
DXU/pTvDOivAq1lqlVVc80E3ze8McAHPmgre3jF+QQ35qDqxC0msbmpWEpJsLW70
9CVqZ+3G9QYOAu7LZc4EWWM1xrTvuHkV5B8bcZH9jHHF0TseluLdIo+Bh6AYdsJ/
KgdI50TgQTm1InzoDcFeH5y8O+bB2dfveKoRst3PivnaprTNNSWNAA==
=Cnop
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists