Admin Tap XSS Version 3 Patch
Date: Monday, April 26 @ 22:00:16 CEST
Topic: Security
I'm incorporating some of my previous XSS patches into one known now as Admin Tap. The most current is talked about here Version three allows admins to make use to the admin block links from outside the admin CP. Simply install this into your admin.php after the opening PHP tag.
//Admin Tap
//Security XSS Prevention by Zhen-Xjell @ http://NukeCops.com
//Nuke Cops: Official PHP-Nuke Development Team
//Version 3: 26 Apr 2004
//Unsets used to help sites with register_globals on.
unset($refer);
unset($argv);
unset($checkurl);
//Variable assignments
$refer = $_SERVER['HTTP_REFERER'];
$argv = $_SERVER['argv'];
$checkurl = $_SERVER['REQUEST_URI'];
//Check how admin.php applications are accessed.
//Used to prevent XSS hacks like those found in the bbcode IMG tags.
// http://nukecops.com/article1797.html
if ($argv[0] != "") {
if (!preg_match("/op=gfx/", "$argv[0]")) {
if (!preg_match("/op=submission/", "$argv[0]") && !preg_match("/op=downloads/", "$argv[0]")) {
if (!preg_match("/admin.php/", "$refer")) {
echo "<BR>$refer<BR><a href=\"http://nukecops.com\">Nuke Cops Slaps You Silly</a>";
exit;
}
}
}
}
// http://www.nukecops.com/article-1793--0-0.html
// http://www.nukecops.com/article810.html
//Some of these are more redundant at this point than anything else.
if (preg_match("/?admin/", "$checkurl")) {
echo "<a href=\"http://nukecops.com\">Nuke Cops Slaps You Silly</a>";
exit;
}
if (preg_match("/AddAuthor/", "$checkurl")) {
echo "<a href=\"http://nukecops.com\">Nuke Cops Slaps You Silly</a>";
exit;
}
if (preg_match("/UpdateAuthor/", "$checkurl")) {
echo "<a href=\"http://nukecops.com\">Nuke Cops Slaps You Silly</a>";
exit;
}
|
|