[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] PHPNuke admin.php protection code
- To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] PHPNuke admin.php protection code
- From: Luca Falavigna <fala83@xxxxxxxxx>
- Date: Tue, 04 May 2004 18:47:50 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I created this piece of code to enforce the security of admin section in
PHPNuke web portals and I realized it works well: just put it in
admin.php above require_once("mainfile.php"); and only logged in users
who are in authors table can access the page, the others will be
redirected to index.php.
The code:
$grant_access = FALSE;
cookiedecode($user);
$sql = $db->sql_query("SELECT aid FROM ".$prefix."_authors");
while($record = $db->sql_fetchrow($sql)) {
~ if($cookie[1]==$record[aid])
~ $grant_access = TRUE;
}
if(!$grant_access) {
~ Header("Location: index.php");
~ die();
}
unset($cookie);
unset($result);
unset($sql);
unset($grant_access);
If this trick doesn't work properly, please contact me at fala83@xxxxxxxxxx
Luca Falavigna
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEVAwUBQJfJL/TtdJayrm9xAQJCxAf+Nto0pa4qlzU8OXnY9EgnbnzFsQDLl9Pj
EwFAayhy0szOfOGR3VMLn57UAPIuEJt0jflohcwu0TENH0Qdth3Oye7VmMeaBG6X
cdt20+F93IAdnjrAMlP71su+vVT3Rg48AxGZ/oHg3nBTbJ+SeSL9KOHuwoDybIyN
DXU/pTvDOivAq1lqlVVc80E3ze8McAHPmgre3jF+QQ35qDqxC0msbmpWEpJsLW70
9CVqZ+3G9QYOAu7LZc4EWWM1xrTvuHkV5B8bcZH9jHHF0TseluLdIo+Bh6AYdsJ/
KgdI50TgQTm1InzoDcFeH5y8O+bB2dfveKoRst3PivnaprTNNSWNAA==
=Cnop
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html